In our enterprise, SSL certificates with a valid subjectAltName field are required for all webservers, and we want to be able to show (test/prod) users a warning when this is not the case.
However, with current Firefox ESR78 this does not seem possible, it seems to always ignore a missing subjectAltName (and fallback to CN) for websites signed with an internal/imported root. The default setting security.pki.name_matching_mode = 3 (only use name information from the subject alternative name extension) does not work for imported roots. It seems this was introduced a few years ago, in order not to break too many internal websites at that time: https://bugzilla.mozilla.org/show_bug.cgi?id=1245280 Would it be possible on ESR78 to show this warning also for sites signed with imported roots? (either with a group policy option, or by default like Edge/Chrome) For reference, Edge/Chrome do show a warning for all https sites without subjectAltName (NET:ERR_CERT_COMMON_NAME_INVALID) Chrome removed the CN fallback by default since v58: https://developers.google.com/web/updates/2017/03/chrome-58-deprecations#remove_support_for_commonname_matching_in_certificates It had an optional Enterprise policy to enable CN fallback for local roots, which was deprecated per v65: https://cloud.google.com/docs/chrome-enterprise/policies/?policy=EnableCommonNameFallbackForLocalAnchors Regards, Lennert Roest ........................................................................ Desktop Hosting 2 Acceptatie Shared Service Center ICT ________________________________ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. Ministerie van Justitie en Veiligheid.
_______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
