Scott Hanselman

Some Trouble with Wildcard SSL Certificates, FireFox and RFC2818

March 20, '07 Comments [11] Posted in ASP.NET
Sponsored By

When working on a non-finance website recently, the client wanted to include the username as the subdomain, to give the user more of a sense of "my site." So, Fred gets https://fred.foo.com as his address.

The client purchased a very expensive (US$500) "Wildcard SSL Certificate" for https://*.foo.com and it works fine.

Some trouble happened when a staging site was introduced. Now we're looking at https://fred.staging.foo.com for the URL.

This works fine in FireFox 2 as seen in this screenshot:

But IE7 really doesn't like it. Your first reaction might be to get mad at IE7, "those jerks! They never follow the spec."

However, according to RFC2818 with emphasis mine (Thanks Eric Lawrence!):

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

When I visit *.foo.com with IE7, it works fine, per spec.

My conclusion here is that FireFox 2 is out of spec with RFC2818. I wonder if this is known by the FireFox team? Am I missing something?

In our case, we'll need to either have wildcard certificate that covers both *.foo.com and *.staging.foo.com (the latter in the SubjectAltName field).  If a CA won’t issue us such a certificate for whatever reason, we'll need to buy two different wildcard certificates ($$), and also host staging.foo.com on a different port or IP address, since the Server Name Indicator TLS extension is not broadly available at this point, and hence you cannot reliably use two different certificates for the same endpoint. Again, thanks to EricL for helping explain this.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Tuesday, March 20, 2007 11:10:58 PM UTC
This is just more proof that web certificates are more complicated than I ever want to learn. My hierarchy of pain goes something like:

(in levels of increasing pain):
* Website layout (CSS)
* Javascript debugging
* linux
* web certificate anything
* x86 assembly
* public speaking

As you can see, web certificates score pretty high on the pain scale, and as I learn more about them, they continue to rise in the ranks!
Peter {faa780ce-0f0a-4c28-81d2-3
Wednesday, March 21, 2007 8:42:35 AM UTC
Scott,

Out of interest, how did you go about creating the subdomain per user through code?

I want to do this for an upcoming project, but I have no idea where to start. I'll be using .net 2.0 and IIS 6 - am I reduced to monkeying around with IIS with WMI or something?

Any pointers would be really appreciated.
Wednesday, March 21, 2007 8:48:32 AM UTC
Actually, you can't put a wildcard in the SubjectAltName field. RFC 3280 specifies that the subjectAltName MUST be in RFC 1738 format, which does not allow wildcards.

Wildcards are a real hack anyway. The proper solution would be to get the CA to issue you a CA certificate with NameConstraints set to ".foo.com", so you could issue your own certificates for the subdomains.
Wednesday, March 21, 2007 9:33:26 AM UTC
Scott - RFC 2818 appears to be a best practices memo and not an explicit specification so compliance with it would be less clear cut - advisable\desirable but not mandatory. Rasmus Faber's comment that RFC3280 requires the subjectAltName MUST be in RFC 1738 format is not obvious to me - that only applies if the subjectAltName is a URI although it is equally specific about other subjectAltName forms being unique. That said RFC 3280 4.2.1.7 does say about wildcarded subjectAltNames that "Applications with specific requirements MAY use such names, but they must define the semantics". Given that it seems that RFC 2818 is the best "standard" to follow though even if it isn't a real standard. That probably does reflect the point that Rasmus made - wildcards are a hack and his recommended approach is much better if it is practical.
Joe Mansfield
Wednesday, March 21, 2007 1:38:27 PM UTC
Scott,

My company has purchased and used wildcard SSL certs on several of our web sites. I would agree, Firefox is not following the RFC and more then likely you'll have to purchase a second wildcard SSL cert to use the subdomain.

I assume you're using IIS to host the web sites, here is a little know secret - you can configure IIS to handle SSL certs with host headers. Here is a TechNet article with some information: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true

Hope you find it useful.
Wednesday, March 21, 2007 4:56:26 PM UTC
So, your index page builds the links for cities (whatever) tagged onto the front of your domain name:
www.boston.lazydancer.com

Then your dynamic "return everything you want about this city" page, which is set as the default page in IIS graps whatever URL is coming in and checks what is on the front. Not sure, but the code below might not display correctly in Scott's dasblog. I, myself, am going to switch over to URL rewriting (as per Scott's previous blogs) to get this: www.lazydancer.com/Boston. Why? Becuase search engines frown on subdomain prefixes that are only one page worth of stuff.(I could be crazy).


Private Sub sSetCity_Production()
'===================================================
'FOR PRODUCTION ENVIRONMENT
'===================================================
Dim strSite As String
'GET OUR URL
strSite = Request.ServerVariables("HTTP_HOST")

'strSite = strSite '.ToLower
'NO CITY SUBDOMAIN, NEED TO GO TO index.aspx to choose a city
If strSite = "www.lazydancer.com" Or strSite = "lazydancer.com" Then

Response.Redirect("index.aspx")
End If

'Else 'HAS CITY SUBDOMAIN PREFIX
' COOKIE
If Not Request.Cookies("CityName") Is Nothing Then
strSite = Server.HtmlEncode(Request.Cookies("CityName").Value)

Else
'NO COOKIE
'CHECK FOR THE "WWW" AND REMOVE IT
If Left(strSite, 4) = "www." Then
strSite = Right(strSite, strSite.Length - 4) 'CentralCoast.LazyDancer.com
End If

'NOW GET RID OF EVERYTHING AFTER THE "DOT"
strSite = Left(strSite, strSite.IndexOf(".")) 'CentralCoast

End If

'FILL SESSION OBJECTS BEFORE LISTING DANCES
Dim conn2 As New SqlConnection(f1.fUseThisConnection(Server.MachineName))
Dim strSQL2 As String = "SELECT CityID, CityName, StateName, CityNameDisplay FROM zJohn.tblCities "
strSQL2 = strSQL2 & " WHERE CityName ='" & f1.stripInjection(strSite) & "'"

Dim cmd2 As New SqlCommand(strSQL2, conn2)
cmd2.Connection.Open()
cmd2.CommandText = strSQL2
Dim dr2 As SqlDataReader = cmd2.ExecuteReader(CommandBehavior.CloseConnection)

If dr2.HasRows Then
dr2.Read()
Session("CityID") = dr2("CityID")
Session("StateName") = dr2("StateName")
Session("CityName") = dr2("CityName") 'NO SPACES
Session("CityNameDisplay") = dr2("CityNameDisplay").ToString 'SPACES LIKE "Central Coast"
'EXAMPLE: CentralCoast IN URL, Central Coast in database


cmd2.Dispose()
conn2.Close()
conn2 = Nothing

Else 'REDIRECT TO INDEX PAGE BECAUSE CITY DOESN'T EXIST
cmd2.Dispose()
conn2.Close()
conn2 = Nothing
Response.Redirect("index.aspx", True)
End If

'End If

End Sub
Wednesday, March 21, 2007 4:58:40 PM UTC
oops, I forgot to quote Andrew's comment about how do create/use subdomains:
(you also have to put a wildcard(*) in IIS's domain name thing)

<Andrew asked>
Scott,

Out of interest, how did you go about creating the subdomain per user through code?

I want to do this for an upcoming project, but I have no idea where to start. I'll be using .net 2.0 and IIS 6 - am I reduced to monkeying around with IIS with WMI or something?

Any pointers would be really appreciated.
</Andrew asked>
Wednesday, March 21, 2007 7:09:52 PM UTC
Andrew

Check out this article on dynamic subdomains: Code Better
Eric
Wednesday, March 21, 2007 8:56:25 PM UTC
It might be easier to do it like this:
https://fred.foo.com
https://fred-staging.foo.com

Then you only have to do one certificate and you can map it however you want in IIS.

This might not fit for you though if you want *.foo.com and *.staging.foo.com to resolve to two different IPs using just two wildcard DNS entries. using my method you have to have individual *-staging entries in DNS if you want it to be different than *.foo.com
Wednesday, March 21, 2007 9:47:49 PM UTC
Thanks John and Eric!
Thursday, March 22, 2007 4:27:23 PM UTC
Just thinking, but what happens to just plain requests for .htm files? All this stuff has to happen at a very high webserver level to detect and deal with, no? Kinda like really good URL writing is an ISAPI filter, not a .NET interception? (I could be crazy).
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.