First Last Prev Next    This bug is not in your last search results.
Bug 53288 - wildcard certificates must use X509v3 Subject Alternative Name instead of CN - rejected by Chrome (90.0.4430)
wildcard certificates must use X509v3 Subject Alternative Name instead of CN ...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: App Center
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-1-errata
Assigned To: Èric Monné Mesalles
Philipp Hahn
https://git.knut.univention.de/univen...
:
: 54626 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-19 13:37 CEST by Felix Botner
Modified: 2022-06-08 16:50 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.343
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2021-05-19 13:37:10 CEST 
Some apps use the univention-add-vhost functionality, which creates a wildcard certificate *.master.five.test for access to the apps webinterface via a subdomain, e.g. jitsi.master.five.test

Seems that chrome is not happy about this certificate

"This server could not prove that it is jitsi.master.five.test; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection."

and marks this as unsafe
Comment 2 Ingo Steuwer univentionstaff 2021-10-04 12:36:13 CEST 
This doesn't work in Chrome/Chromium default setup and no workaround is known.
Comment 3 Arvid Requate univentionstaff 2022-03-30 20:01:02 CEST 
*** Bug 54626 has been marked as a duplicate of this bug. ***
Comment 4 Arvid Requate univentionstaff 2022-03-30 20:09:43 CEST 
Our wildcard certificate doesn't have a "X509v3 Subject Alternative Name" field.

https://serverfault.com/questions/559537/wildcard-certificate-causes-warning-on-google-chrome-only
Comment 5 Philipp Hahn univentionstaff 2022-03-31 07:32:41 CEST 
We're also affected by this <https://chat.univention.de/channel/gitlab-migration?msg=rMvDuxYMp77J7AKx7>:

Chromium rejects the certificate, because it is wrong: `cn=*.gitpages.…` : the baseline requirements mandate the use of `subjectAltNames=`, but some™ browsers still implement the fallback to `cn`; but this is [deprecated since 2000](https://datatracker.ietf.org/doc/html/rfc2818#section-3.1) and Chrome based browsers (Chrome, Chromium, Edge, …) enforce this since 2017
Comment 6 Philipp Hahn univentionstaff 2022-06-08 16:24:06 CEST 
OK: cd8c8c26e0b61cd9fe2f56dec200e73f7a07d517
OK: a2c237100b7f1569c2ca42e4bfb93d000f2c7730
OK: doc/errata/staging/univention-ssl.yaml
OK: errata-announce  -V --onyl univention-ssl.yaml
OK: apt-get -t apt install univention-ssl
OK: univention-certificate new -name 'bar.phahn.dev' -days 10
OK: univention-certificate new -name '*.phahn.dev' -days 10
OK: univention-certificate list
First Last Prev Next    This bug is not in your last search results.