Some Trouble with Wildcard SSL Certificates, FireFox and RFC2818

March 21, 2007 Comment on this post [11] Posted in ASP.NET

Sponsored By

When working on a non-finance website recently, the client wanted to include the username as the subdomain, to give the user more of a sense of "my site." So, Fred gets https://fred.foo.com as his address.

The client purchased a very expensive (US$500) "Wildcard SSL Certificate" for https://*.foo.com and it works fine.

Some trouble happened when a staging site was introduced. Now we're looking at https://fred.staging.foo.com for the URL.

This works fine in FireFox 2 as seen in this screenshot:

But IE7 really doesn't like it. Your first reaction might be to get mad at IE7, "those jerks! They never follow the spec."

However, according to RFC2818 with emphasis mine (Thanks Eric Lawrence!):

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

When I visit *.foo.com with IE7, it works fine, per spec.

My conclusion here is that FireFox 2 is out of spec with RFC2818. I wonder if this is known by the FireFox team? Am I missing something?

In our case, we'll need to either have wildcard certificate that covers both *.foo.com and *.staging.foo.com (the latter in the SubjectAltName field). If a CA won’t issue us such a certificate for whatever reason, we'll need to buy two different wildcard certificates ($$), and also host staging.foo.com on a different port or IP address, since the Server Name Indicator TLS extension is not broadly available at this point, and hence you cannot reliably use two different certificates for the same endpoint. Again, thanks to EricL for helping explain this.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About Newsletter

Hosting By

Comment on this post [11]

Share on or or use the Permalink

March 21, 2007 3:10

This is just more proof that web certificates are more complicated than I ever want to learn. My hierarchy of pain goes something like:

(in levels of increasing pain):
* Website layout (CSS)
* Javascript debugging
* linux
* web certificate anything
* x86 assembly
* public speaking

As you can see, web certificates score pretty high on the pain scale, and as I learn more about them, they continue to rise in the ranks!

Peter {faa780ce-0f0a-4c28-81d2-3

March 21, 2007 12:42

Scott,

Out of interest, how did you go about creating the subdomain per user through code?

I want to do this for an upcoming project, but I have no idea where to start. I'll be using .net 2.0 and IIS 6 - am I reduced to monkeying around with IIS with WMI or something?

Any pointers would be really appreciated.

Andrew

March 21, 2007 12:48

Actually, you can't put a wildcard in the SubjectAltName field. RFC 3280 specifies that the subjectAltName MUST be in RFC 1738 format, which does not allow wildcards.

Wildcards are a real hack anyway. The proper solution would be to get the CA to issue you a CA certificate with NameConstraints set to ".foo.com", so you could issue your own certificates for the subdomains.

Rasmus Faber

March 21, 2007 13:33

Scott - RFC 2818 appears to be a best practices memo and not an explicit specification so compliance with it would be less clear cut - advisable\desirable but not mandatory. Rasmus Faber's comment that RFC3280 requires the subjectAltName MUST be in RFC 1738 format is not obvious to me - that only applies if the subjectAltName is a URI although it is equally specific about other subjectAltName forms being unique. That said RFC 3280 4.2.1.7 does say about wildcarded subjectAltNames that "Applications with specific requirements MAY use such names, but they must define the semantics". Given that it seems that RFC 2818 is the best "standard" to follow though even if it isn't a real standard. That probably does reflect the point that Rasmus made - wildcards are a hack and his recommended approach is much better if it is practical.

Joe Mansfield

March 21, 2007 17:38

Scott,

My company has purchased and used wildcard SSL certs on several of our web sites. I would agree, Firefox is not following the RFC and more then likely you'll have to purchase a second wildcard SSL cert to use the subdomain.

I assume you're using IIS to host the web sites, here is a little know secret - you can configure IIS to handle SSL certs with host headers. Here is a TechNet article with some information: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true

Hope you find it useful.

Otto

March 21, 2007 20:56

So, your index page builds the links for cities (whatever) tagged onto the front of your domain name:
www.boston.lazydancer.com

Then your dynamic "return everything you want about this city" page, which is set as the default page in IIS graps whatever URL is coming in and checks what is on the front. Not sure, but the code below might not display correctly in Scott's dasblog. I, myself, am going to switch over to URL rewriting (as per Scott's previous blogs) to get this: www.lazydancer.com/Boston. Why? Becuase search engines frown on subdomain prefixes that are only one page worth of stuff.(I could be crazy).

Private Sub sSetCity_Production()
'===================================================
'FOR PRODUCTION ENVIRONMENT
'===================================================
Dim strSite As String
'GET OUR URL
strSite = Request.ServerVariables("HTTP_HOST")

'strSite = strSite '.ToLower
'NO CITY SUBDOMAIN, NEED TO GO TO index.aspx to choose a city
If strSite = "www.lazydancer.com" Or strSite = "lazydancer.com" Then

Response.Redirect("index.aspx")
End If

'Else 'HAS CITY SUBDOMAIN PREFIX
' COOKIE
If Not Request.Cookies("CityName") Is Nothing Then
strSite = Server.HtmlEncode(Request.Cookies("CityName").Value)

Else
'NO COOKIE
'CHECK FOR THE "WWW" AND REMOVE IT
If Left(strSite, 4) = "www." Then
strSite = Right(strSite, strSite.Length - 4) 'CentralCoast.LazyDancer.com
End If

'NOW GET RID OF EVERYTHING AFTER THE "DOT"
strSite = Left(strSite, strSite.IndexOf(".")) 'CentralCoast

End If

'FILL SESSION OBJECTS BEFORE LISTING DANCES
Dim conn2 As New SqlConnection(f1.fUseThisConnection(Server.MachineName))
Dim strSQL2 As String = "SELECT CityID, CityName, StateName, CityNameDisplay FROM zJohn.tblCities "
strSQL2 = strSQL2 & " WHERE CityName ='" & f1.stripInjection(strSite) & "'"

Dim cmd2 As New SqlCommand(strSQL2, conn2)
cmd2.Connection.Open()
cmd2.CommandText = strSQL2
Dim dr2 As SqlDataReader = cmd2.ExecuteReader(CommandBehavior.CloseConnection)

If dr2.HasRows Then
dr2.Read()
Session("CityID") = dr2("CityID")
Session("StateName") = dr2("StateName")
Session("CityName") = dr2("CityName") 'NO SPACES
Session("CityNameDisplay") = dr2("CityNameDisplay").ToString 'SPACES LIKE "Central Coast"
'EXAMPLE: CentralCoast IN URL, Central Coast in database

cmd2.Dispose()
conn2.Close()
conn2 = Nothing

Else 'REDIRECT TO INDEX PAGE BECAUSE CITY DOESN'T EXIST
cmd2.Dispose()
conn2.Close()
conn2 = Nothing
Response.Redirect("index.aspx", True)
End If

'End If

End Sub

John A. Davis

March 21, 2007 20:58

oops, I forgot to quote Andrew's comment about how do create/use subdomains:
(you also have to put a wildcard(*) in IIS's domain name thing)

<Andrew asked>
Scott,

Out of interest, how did you go about creating the subdomain per user through code?

I want to do this for an upcoming project, but I have no idea where to start. I'll be using .net 2.0 and IIS 6 - am I reduced to monkeying around with IIS with WMI or something?

Any pointers would be really appreciated.
</Andrew asked>

John A. Davis

March 21, 2007 23:09

Andrew

Check out this article on dynamic subdomains: Code Better

Eric

March 22, 2007 0:56

It might be easier to do it like this:
https://fred.foo.com
https://fred-staging.foo.com

Then you only have to do one certificate and you can map it however you want in IIS.

This might not fit for you though if you want *.foo.com and *.staging.foo.com to resolve to two different IPs using just two wildcard DNS entries. using my method you have to have individual *-staging entries in DNS if you want it to be different than *.foo.com

Tony Bunce

March 22, 2007 1:47

Thanks John and Eric!

Andrew

March 22, 2007 20:27

Just thinking, but what happens to just plain requests for .htm files? All this stuff has to happen at a very high webserver level to detect and deal with, no? Kinda like really good URL writing is an ISAPI filter, not a .NET interception? (I could be crazy).

John A. Davis

Comments are closed.