New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 602545 link

Starred by 1 user
Status: WontFix
Owner:
f...@chromium.org
(slow to respond to bugs. if it's i...
Closed: Apr 2016
Cc:
davidben@chromium.org
mmenke@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: SSL Subdomain not verified if certificate is in Main request

Reported by r...@b-funky.nl, Apr 12 2016 
VULNERABILITY DETAILS
When opening for https://www.b-funky.nl/ssltest.html it will do a request to https://static.b-funky.nl also. I deliberately serving a different certificate on this domain. Chrome doesn't verify the certificate of the subdomain and just handles it as secure.

VERSION
Chrome Version: 49.0.2623.112 stable
Operating System: [OSX 10.11.4]

REPRODUCTION CASE
Open demo url in chrome:
https://static.b-funky.nl

Open demo url in safari to see warnings or use openssl to get certificate from www.b-funky.nl:443 and static.b-funky.nl:443 (return wrong domainname)

Comment 1 by tsepez@chromium.org, Apr 12 2016

Owner: f...@chromium.org
Status: Assigned (was: Unconfirmed)
Assigning to security UI team.

Comment 2 by r...@b-funky.nl, Apr 12 2016 

Sorry,

My report was a bit sloppy but I had to leave and want to make sure that this issue reached you as soon as possible since it can have a big impact for people who think there connection is completely save.
I do think that the test url https://www.b-funky.nl/ssltest.html will give you enough information but don't hesitate to contact me. I'll keep the certificate setup online until the bug is confirmed.

Comment 3 by est...@chromium.org, Apr 12 2016

Cc: davidben@chromium.org mmenke@chromium.org
Components: Internals>Network>SSL
net-internals shows HTTP2_SESSION_POOL_FOUND_EXISTING_SESSION_FROM_IP_POOL for the subresource request to static.b-funky.nl, so it's due to session pooling. I think this is WAI -- it should be okay to use a connection from the pool for the subresource request if the connection has a valid certificate for it -- but not sure.

Comment 4 by cbentzel@chromium.org, Apr 12 2016

Status: WontFix (was: Assigned)
Yeah, the subjectAltName on the original cert covers www.b-funky.nl and static.b-funky.nl so this is WAI

Comment 5 by est...@chromium.org, Apr 12 2016

Labels: -Restrict-View-SecurityTeam
Removing view restriction.

Comment 6 by davidben@chromium.org, Apr 12 2016 

To clarify in case this was unclear: we're not failing to verify static.b-funky.nl's bad certificate. We never make a new connection to begin with.

The connection to www.b-funky.nl is still open, and that connection's certificate is good for both www.b-funky.nl and static.b-funky.nl (check the SANs), so we'll use the same HTTP/2 (or SPDY) session for requests to either host. HTTP/2 explicitly allows doing this.

Comment 7 by r...@b-funky.nl, Apr 12 2016 

Thnx for the fast response. Perfectly clear. Will remove the testfile.
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 10 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment