NOTE: A version of this was also posted yesterday in IE 7 forum. Unfortunately I received no useful responses, so thought this might be an alternative place, as it regards SSL (thus security) in IE 7. Sorry for the crosspost, but I think it is a problem that should be resolved (or at least answered).
Description of Potential Bug: MS IE 7.0 Fails to act properly in dealing with SSL wildcard certificates in certain situations. A wildcard SSL certificate should be valid for both subdomain.domain.tld as well as www.subdomain.domain.tld - such processing for wildcard certificates probably should be valid for any valid DNS creatable sub domain (e.g., www.foo.bar.domain.tld ) of a valid domain name (e.g., domain.tld) for which the wildcard certificate was created.
Obviously, care should be used in handling what constitutes a valid domain (e.g., *.tld should probably never be valid for a wildcard certificate issued for a top level domain or issues in certain country code naming scenarios), but those issues extend beyond the scope of this report.
Problem Scenario: After successfully installing a wildcard SSL cert for a domain (e.g., *.domain.tld ) for both an IIS 5.0 (Windows 2000) platform and an IIS 6.0 (Windows 2003) platform, IE 7.0 fails to treat the wildcards SSL certificate as being valid for both www.subdomain.domain.tld and subdomain.domain.tld names. Instead it only accepts the subdomain.domain.tld variant as acceptable. In this particular scenario, the domain happens to be a two letter .com name.
Suggestion of Potential Bug: This problem does not occur in other browsers (e.g., FireFox, Opera), where those browsers accept both the subdomain.domain.tld and www.subdomain.domain.tld variant as acceptable for the SSL certificate. As such, in both of the abovementioned browsers, the replication actions suggested below work as expected.
Replication Actions: For a domain using a wildcard secure ssl certificate (e.g., *.domain.tld ) successfully installed on a late model IIS server -
When accessing foo.domain.tld as https://foo.domain.tld in IE 7.0 - normal access as expected to a page with SSL enabled.
When accessing www.foo.domain.tld as https://www.foo.domain.tld in IE 7.0 - an error occurs indicating that the certificate is invalid for the domain. Expected results would be a working https page result with secure SSL engaged, based upon both the results from other browsers and definition expectations for a wildcard SSL certificate.
Les réponses au message de Commerce (Commerce@discussions.microsoft.com)
Not a bug - this is the way that the HTTPS protocol is supposed to work, and those other browsers are being unsecure by allowing wildcards to work in that way. Here's the quote from RFC 2818 (HTTP over TLS):
"Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com."
So, there you have it - "*.a.com matches foo.a.com, but not bar.foo.a.com" - you're asking Microsoft to break the standards for the trifling reason that everyone else does it wrong. Not cool. Report the bugs in those other browsers, and see if they fix them.
Alun. ~~~~
"Commerce" wrote in message news:F1042725-B190-415A-9097-2BF2357D2A52@microsoft.com... > NOTE: A version of this was also posted yesterday in IE 7 forum. > Unfortunately I received no useful responses, so thought this might be an > alternative place, as it regards SSL (thus security) in IE 7. Sorry for > the > crosspost, but I think it is a problem that should be resolved (or at > least > answered). > Description of Potential Bug: > MS IE 7.0 Fails to act properly in dealing with SSL wildcard certificates > in > certain situations. A wildcard SSL certificate should be valid for both > subdomain.domain.tld as well as www.subdomain.domain.tld - such processing > for wildcard certificates probably should be valid for any valid DNS > creatable sub domain (e.g., www.foo.bar.domain.tld ) of a valid domain > name > (e.g., domain.tld) for which the wildcard certificate was created. > Obviously, care should be used in handling what constitutes a valid domain > (e.g., *.tld should probably never be valid for a wildcard certificate > issued > for a top level domain or issues in certain country code naming > scenarios), > but those issues extend beyond the scope of this report. > Problem Scenario: > After successfully installing a wildcard SSL cert for a domain (e.g., > *.domain.tld ) for both an IIS 5.0 (Windows 2000) platform and an IIS 6.0 > (Windows 2003) platform, IE 7.0 fails to treat the wildcards SSL > certificate > as being valid for both www.subdomain.domain.tld and subdomain.domain.tld > names. Instead it only accepts the subdomain.domain.tld variant as > acceptable. In this particular scenario, the domain happens to be a two > letter .com name. > Suggestion of Potential Bug: > This problem does not occur in other browsers (e.g., FireFox, Opera), > where > those browsers accept both the subdomain.domain.tld and > www.subdomain.domain.tld variant as acceptable for the SSL certificate. > As > such, in both of the abovementioned browsers, the replication actions > suggested below work as expected. > Replication Actions: > For a domain using a wildcard secure ssl certificate (e.g., *.domain.tld ) > successfully installed on a late model IIS server - > When accessing foo.domain.tld as https://foo.domain.tld in IE 7.0 - normal > access as expected to a page with SSL enabled. > When accessing www.foo.domain.tld as https://www.foo.domain.tld in IE > 7.0 - > an error occurs indicating that the certificate is invalid for the domain. > Expected results would be a working https page result with secure SSL > engaged, based upon both the results from other browsers and definition > expectations for a wildcard SSL certificate. >
Great answer and although not what I had hoped would be the case, I thank you for it. Based upon your cite, clearly, IE 7 follows the standard properly and the others do not. My conclusion was wrong.
Arguably, however, the RFC 2818 standard should be modified, at least to the degree that it acknowledges the predating defacto standard for web site access over http, which has historically been the use of a www subdomain (albeit that is in http, but then https is just a secure layer upon which http rides, so it is not all that outrageous to consider).
My feeling is that wildcard subdomains for HTTPS should at least be extended such that a.sld.tld should reasonably also cover www.a.sld.tld. I suppose the other browser companies felt that way too and thus "bent" the standard a bit to accommodate that historic convention. Perhaps these other companies would consider it a "standards extension" to their products.
While strictly speaking, ignoring standards is a no - no (or as you say, "not cool"), in this case, I think that it is understandable. I do not think that such an action would compromise security, because the basic underlying settings that make wildcarding possible are addressed within DNS and at the secure host header level on the server.
Again, thank you for your clear answer. I already adjusted the site to accommodate what I considered an IE 7 "bug", so the issue will not be problematic here (though a bit inconvenient). Now I suppose that I am happy to find that my "fix" follows the intended standard after all. So, I guess if the other browsers need to "downgrade" their "standards extension", it will not cause any issues around here.
My sincere apologies to the community for raising what appears to be a false alarm.
-Commerce
"Alun Jones" wrote:
> Not a bug - this is the way that the HTTPS protocol is supposed to work, and > those other browsers are being unsecure by allowing wildcards to work in > that way. Here's the quote from RFC 2818 (HTTP over TLS): > "Matching is performed using the matching rules specified by > [RFC2459]. If more than one identity of a given type is present in > the certificate (e.g., more than one dNSName name, a match in any one > of the set is considered acceptable.) Names may contain the wildcard > character * which is considered to match any single domain name > component or component fragment. E.g., *.a.com matches foo.a.com but > not bar.foo.a.com. f*.com matches foo.com but not bar.com." > So, there you have it - "*.a.com matches foo.a.com, but not bar.foo.a.com" - > you're asking Microsoft to break the standards for the trifling reason that > everyone else does it wrong. Not cool. Report the bugs in those other > browsers, and see if they fix them. > Alun. > ~~~~ > "Commerce" wrote in message > news:F1042725-B190-415A-9097-2BF2357D2A52@microsoft.com... > > NOTE: A version of this was also posted yesterday in IE 7 forum. > > Unfortunately I received no useful responses, so thought this might be an > > alternative place, as it regards SSL (thus security) in IE 7. Sorry for > > the > > crosspost, but I think it is a problem that should be resolved (or at > > least > > answered). > > > Description of Potential Bug: > > MS IE 7.0 Fails to act properly in dealing with SSL wildcard certificates > > in > > certain situations. A wildcard SSL certificate should be valid for both > > subdomain.domain.tld as well as www.subdomain.domain.tld - such processing > > for wildcard certificates probably should be valid for any valid DNS > > creatable sub domain (e.g., www.foo.bar.domain.tld ) of a valid domain > > name > > (e.g., domain.tld) for which the wildcard certificate was created. > > > Obviously, care should be used in handling what constitutes a valid domain > > (e.g., *.tld should probably never be valid for a wildcard certificate > > issued > > for a top level domain or issues in certain country code naming > > scenarios), > > but those issues extend beyond the scope of this report. > > > Problem Scenario: > > After successfully installing a wildcard SSL cert for a domain (e.g., > > *.domain.tld ) for both an IIS 5.0 (Windows 2000) platform and an IIS 6.0 > > (Windows 2003) platform, IE 7.0 fails to treat the wildcards SSL > > certificate > > as being valid for both www.subdomain.domain.tld and subdomain.domain.tld > > names. Instead it only accepts the subdomain.domain.tld variant as > > acceptable. In this particular scenario, the domain happens to be a two > > letter .com name. > > > Suggestion of Potential Bug: > > This problem does not occur in other browsers (e.g., FireFox, Opera), > > where > > those browsers accept both the subdomain.domain.tld and > > www.subdomain.domain.tld variant as acceptable for the SSL certificate. > > As > > such, in both of the abovementioned browsers, the replication actions > > suggested below work as expected. > > > Replication Actions: > > For a domain using a wildcard secure ssl certificate (e.g., *.domain.tld ) > > successfully installed on a late model IIS server - > > > When accessing foo.domain.tld as https://foo.domain.tld in IE 7.0 - normal > > access as expected to a page with SSL enabled. > > > When accessing www.foo.domain.tld as https://www.foo.domain.tld in IE > > 7.0 - > > an error occurs indicating that the certificate is invalid for the domain. > > Expected results would be a working https page result with secure SSL > > engaged, based upon both the results from other browsers and definition > > expectations for a wildcard SSL certificate. > >
Vulnerabilite.com ne peut être tenu responsable des propos tenus dans le Newsgroup microsoft.public.security
- such processing 
Message de Alun Jones (alun@texis.invalid) (04 Octobre 2007)
