Certificate has multiple Subject Alternative Name extensions --> not accepted by Firefox #652
Description
It is not possible to open the web interface via https:// with Firefox. The error message from Firefox is:
Secure connection failed
SEC_ERROR_EXTENSION_VALUE_INVALID
(Firefox 111.01 running on Ubuntu)
Tracing the issue further down, it seems that multiple extensions of Subject Alternative Name are generated but not allowed in the certificate. Instead, the DNS names need to be concatenated and included in a single SAN extension.
Steps to reproduce the behavior:
- Install and start CUPS
- Open Web interface via https:// in Firefox
- Error message SEC_ERROR_EXTENSION_VALUE_INVALID in Firefox
- Check generated certificates in /etc/cups/ssl, e.g. with
sudo openssl x509 -in /etc/cups/ssl/box.crt -text - You will see two entries for
X509v3 Subject Alternative Name:
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:box
X509v3 Subject Alternative Name:
DNS:box.local
With help of this forum entry:
openssl/openssl#11706
I was able to fix the issue in source file tls-openssl.c
Please see my patch file attached. After applying the patch, the certificate is generated with a single SAN extension and multiple entries within this SAN extension:
X509v3 Subject Alternative Name:
DNS:box, DNS:box.local
This certificate seems correct now and is also accepted by Firefox.
System Information:
- OS and its version: Ubuntu 22.10
- Firefox 111.01
- Latest CUPS version from master branch, commit 55f86e0
Additional context
None