1

I have a private NAS device. It uses a self-signed SSL certificate. I can import the cert into Firefox and everything works as long as I'm accessing the device from somewhere on the internet. SSL validation and encryption is working.

Now, if I try to access the device through my LAN, I'm getting an error from firefox: ssl_error_bad_certificate_domain. This happens, because I am accessing the device using its local IP address and not using the DDNS web address.

I may add the IP address to the to the Subject Alternative Names list in the Certificate, if it is static, to solve the problem. Let us consider the problem, when I cannot make it static, but it has to stay dynamic.

I read in the RFC 2818 that

If the client has external information as to the expected identity of the server, the hostname check MAY be omitted. (For instance, a client may be connecting to a machine whose address and hostname are dynamic but the client knows the certificate that the server will present.)

I know exactly that this certificate is the correct one. So, if the server can identify with the private key, everything is good. But, how do I know, whether Firefox checks the certificate even if the hostname check fails?

Community
  • 1
PhilippVerpoort
  • 11
  • 2

2 Answers2

0

It sounds like you haven't included a subjectAltName section in your self-signed certificate, listing all the domain names and IP addresses under which you'll access the NAS device.

Even though Firefox has been told to disregard that this certificate has no trusted issuer, it still can't confirm that the URL you're using is covered by your security exception.

Stuart Caie
  • 1,497
  • 1
  • 9
  • 7
  • I have tried to enter the (static) IP address, too, but that didn't do that trick. It also didn't seem to make sense to me, either. – PhilippVerpoort Apr 09 '15 at 15:54
  • The URL, that is reachable through the internet, is a subjectAltName. As I mentioned, it is recognized from outside my private network. – PhilippVerpoort Apr 09 '15 at 15:55
0

However, I would have to make sure that Firefox actually checks the validity of the certificate, or am I wrong? Does Firefox do that?

If you add an exception for a certificate to Firefox it will only associate the exception with the hostname in the URL. If you then get the same certificate with another hostname you must add the exception again.

If instead you add the certificate as trusted to the browser, i.e. not by using an exception but by adding it to the certificate store, then it will be used for validation like all the other trusted certificates. That means it will only validate successfully if the name given in the URL inside the browser matches the name given in the certificate. If you only have an IP you have to add it as type IP as subject alternative name (SAN), and because of some buggy browsers better add it as type DNS too. Using the IP as common name will work with some browsers, but not with all. Also note that once you have a DNS entry as SAN a standard-conformant browser will no longer look at the common name, so you need to have all names as SAN.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Sounds good. I will try adding the SAN by type IP. I read online that I will have to use "IP:x.x.x.x", right? But do you know, whether the certificate is actually validated by Firefox with the bad domain error or is it not even checked after Firefox realizes the domain problem? – PhilippVerpoort Apr 09 '15 at 16:32
  • I don't know if Firefox checks the name or the trust first, but it actually does not matter. And if you refer with `IP:x.x.x.x` to the syntax in the OpenSSL config file then you are probably right, see the [documentation](https://www.openssl.org/docs/apps/x509v3_config.html#Subject-Alternative-Name). – Steffen Ullrich Apr 09 '15 at 16:38