Firefox Revocation Weirdness

Thu, 29 May 2014 07:52:50 -0700 

Hey all,

I noticed some odd behavior in firefox and i was curious if anyone else had 
this same behavior. I am using Apache with a single public IP, i am using the 
named hosts option and a browser that supports "Server Name Indication" in 
order to run multiple SSL sites.  My default website is 
"https://www.cryptosec.net"; and my 2nd named host is 
"https://revoked.cryptosec.net";.  When i load "https://revoked.cryptosec.net"; 
in IE, or Chrome, it successfully detects the revoked status.  However, if i 
load it in firefox, it warns of a "Certificate mismatch" and display the 
certificate for "https://www.cryptosec.net"; which is the default(fallback) 
Named virtual host.  It seems to me that firefox falls back to the default 
named host instead of warning of revoked certificate status in this one use 
case.  Can anyone else confirm these results? 

The CA certificate for my website can be obtained from:
http://va.cryptosec.net:8080/ejbca/retrieve/ca_certs.jsp

my apache ssl.conf looks like so:

Listen *:443

LoadModule ssl_module   modules/mod_ssl.so

SSLPassPhraseDialog     builtin
#AcceptMutex             fcntl
AcceptMutex             posixsem
SSLSessionCache         shmcb:/var/cache/httpd/mod_ssl/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLMutex                default
SSLRandomSeed           startup /dev/urandom  256
SSLRandomSeed           connect builtin

NameVirtualHost *:443

# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off


<VirtualHost *:443>
        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

        SSLCertificateFile      /etc/pki/tls/certs/cryptosec.net.crt
        SSLCertificateKeyFile   /etc/pki/tls/private/cryptosec.net.key

        DocumentRoot "/var/www/cryptosec.net"
        ServerName "www.cryptosec.net"


        <Directory /var/www/cryptosec.net>
                AllowOverride FileInfo

                Order Allow,Deny
                Allow from all
        </Directory>
</VirtualHost>

<VirtualHost *:443>
        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

        SSLCertificateFile      /etc/pki/tls/certs/revoked.cryptosec.net.crt
        SSLCertificateKeyFile   /etc/pki/tls/private/revoked.cryptosec.net.key

        DocumentRoot "/var/www/revoked.cryptosec.net"
        ServerName "revoked.cryptosec.net"

        <Directory /var/www/revoked.cryptosec.net>
                AllowOverride FileInfo

                Order Allow,Deny
                Allow from all
        </Directory>
</VirtualHost>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to