[Webkit-unassigned] [Bug 14215] Can't establish a secure connection with wildcard SSL certificate

Thu Mar 12 08:14:39 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=14215

------- Comment #26 from ddkilzer at webkit.org  2009-03-12 08:14 PDT -------
(In reply to comment #24)
> (In reply to comment #23)
> > (In reply to comment #22)
> > > (In reply to comment #20)
> > > > Not a verisign example (Comodo instead), but:
> > > > https://0-scifinder.cas.org.sculib.scu.edu
> > > 
> > > When I load the above URL in Safari 4 Public Beta in Tiger 10.4.11, I do not
> > > get a certificate warning.
> > > 
> > > When I load the above URL in Safari 4 Public Beta in Leopard 10.5.6, I do get a
> > > certificate warning.
> > 
> > I can confirm on my new macbook this isn't an issue Leopard 10.5.6 I accept
> > certificate and things are fine.. I don't have a windows box around or i'd try
> > that..
> 
> But the bug is that you shouldn't have to accept the certificate at all!!  :)

In this case, Tiger is wrong.  You should get a certificate warning because a
wild card certificate for *.sculib.scu.edu doesn't "match"
0-scifinder.cas.org.sculib.scu.edu.  To put it another way, the "*" in the wild
card certificate only matches one subdomain name--it can't cross "."
boundaries.  So in this test case, the behavior in Leopard is correct.

(In reply to comment #25)
> I thought I replied to this, hrmm my brain must really be turning into mush..
> The bug for me is that I have to repeatedly accept the certificate and not just
> accept it once; you should be able to get a secure connection with the
> certificate once it's been downloaded. That works for the above; otherwise it's
> screwed.

I still can't reproduce this locally by changing /etc/hosts.  We REALLY need a
"hidden" test URL that does the redirection to make this reproduce easily.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.