Firefox何时用通配符证书来引用ssl_error_bad_cert_domain？ [英] When does Firefox throw ssl_error_bad_cert_domain with a wildcard certificate?

问题描述

我已经通过 https://developer.mozilla.org/zh-CN/和Google仍然无法确切知道为什么Firefox会在技术详细信息下显示This Connection is Untrusted屏幕/ UI，并显示（错误代码：ssl_error_bad_cert_domain）。

真的很简单：SSL证书通用名称与网站服务器/网站的完全限定域名（FQDN）不匹配。如果是这样的话，那么为什么通用名为* .subdomain.mydomain.tld的SSL证书不能用于网站 https：//subdomain.mydomain.tld 并抛出这个特定的错误？

https：//subdomain.mydomain.tld 并抛出此特定错误？

通配符代表一个标签，而不是空白。这意味着 *。subdomain.example.com 不匹配 subdomain.example.com ，但它会匹配 foo.subdomain.example.com 。为了匹配 subdomain.example.com ，证书也必须同时包含 *。subdomain.example.com 和 subdomain.example.com 作为主题替代名称。请注意， *。example.com 也会匹配 subdomain.example.com ，但不会是 foo .subdomain.example.com 。

I've searched through https://developer.mozilla.org/en-US/ and Google and still cannot learn exactly why Firefox would display it's "This Connection is Untrusted" screen/UI with "(Error code: ssl_error_bad_cert_domain)" under "Technical Details".

Is it really as simple as "The SSL certificate common name does not match the fully qualified domain name (FQDN) of the webserver/website." ?

If so, then why wouldn't an SSL certificate with the common name "*.subdomain.mydomain.tld" work with the website "https://subdomain.mydomain.tld" and throw this specific error?

解决方案

If so, then why wouldn't an SSL certificate with the common name "*.subdomain.mydomain.tld" work with the website "https://subdomain.mydomain.tld" and throw this specific error?

A wildcard stands for a single label and not for nothing. That means *.subdomain.example.com does not match subdomain.example.com but it will match foo.subdomain.example.com. To match subdomain.example.com too the certificate has to include both *.subdomain.example.com and also subdomain.example.com as subject alternative names. Note that *.example.com would also match subdomain.example.com but not foo.subdomain.example.com.

这篇关于Firefox何时用通配符证书来引用ssl_error_bad_cert_domain？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！