Last modified: 2012-05-14 15:26:10 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T33800, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 31800 - upload.wikimedia.org provides wrong certificate via IPv6
upload.wikimedia.org provides wrong certificate via IPv6
Status: RESOLVED FIXED
Product: Wikimedia
Classification: Unclassified
SSL related (Other open bugs)
unspecified
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
: ipv6, ops
Depends on:
Blocks: 35540
  Show dependency treegraph
 
Reported: 2011-10-18 16:42 UTC by maxi
Modified: 2012-05-14 15:26 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description maxi 2011-10-18 16:42:20 UTC 
When connectiong via IPv6 to upload.wikimedia.org a wrong certificate is shown.

The certificate is issued for "*.wikimediafoundation.org" and "wikimediafoundation.org" which does not match upload.wikimedia.org. See below.

 - Certificate[0] info:
  - X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 027a5f
        Issuer: C=US,O=GeoTrust\, Inc.,CN=RapidSSL CA
        Validity:
                Not Before: Mon Jul 18 07:19:38 UTC 2011
                Not After: Tue Jul 19 16:14:20 UTC 2016
        Subject: serialNumber=DN84DBlZKsoLji7PlLHE4Pyj6ARQXJ-L,C=US,O=*.wikimediafoundation.org,OU=GT55614722,OU=See www.rapidssl.com/resources/cps (c)11,OU=Domain Control Validated - RapidSSL(R),CN=*.wikimediafoundation.org
        Subject Public Key Algorithm: RSA
        Certificate Security Level: Low
                Modulus (bits 2048):
                        00:c3:79:a7:e0:cc:5f:7b:cc:10:5b:d2:eb:88:0d:55
                        ee:66:da:63:7c:0d:73:19:e8:04:85:95:d1:7f:b1:ae
                        fa:92:60:c8:8c:79:99:72:5b:c6:42:72:80:b9:b5:9a
                        11:6a:43:0f:d1:f3:c7:87:84:79:5d:56:56:b5:97:f9
                        2e:39:5a:61:18:8b:4f:83:56:94:38:30:44:a9:43:79
                        1f:ed:3f:36:ef:33:61:21:ca:fa:e3:90:3e:c9:52:18
                        6e:c5:3d:24:19:52:a7:90:ed:75:7a:b4:6f:40:e5:58
                        57:75:75:54:a2:ba:07:5c:26:57:66:7c:d4:46:f3:82
                        fe:c9:29:be:86:be:3c:a2:d7:e4:6e:5a:3a:fe:77:df
                        76:85:97:79:08:00:6b:66:fd:be:fd:1d:e5:f5:36:16
                        7c:92:a3:12:17:b0:f5:72:9a:7a:6b:e4:d8:31:42:70
                        3e:84:b4:8c:ae:69:c2:29:34:b1:89:c7:60:85:f4:2e
                        33:8a:1a:4a:50:26:dd:4d:7b:34:71:85:02:1e:6f:1d
                        8f:f1:db:b2:e0:6c:05:a5:b0:98:c1:74:39:2d:04:9d
                        cb:51:80:36:d9:e8:bb:3f:76:27:01:c9:65:f4:d5:dd
                        04:fe:1e:f7:0e:c2:c4:59:84:c8:b1:04:71:c8:f6:aa
                        bb
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Authority Key Identifier (not critical):
                        6b693d6a18424add8f026539fd35248678911630
                Key Usage (critical):
                        Digital signature.
                        Key encipherment.
                Key Purpose (not critical):
                        TLS WWW Server.
                        TLS WWW Client.
                Subject Alternative Name (not critical):
                        DNSname: *.wikimediafoundation.org
                        DNSname: wikimediafoundation.org
                CRL Distribution points (not critical):
                        URI: http://rapidssl-crl.geotrust.com/crls/rapidssl.crl
                Subject Key Identifier (not critical):
                        16f250574f6b2250a9caa67c53a7b59b9eefbc5c
                Basic Constraints (critical):
                        Certificate Authority (CA): FALSE
                Unknown extension 1.3.6.1.5.5.7.1.1 (not critical):
                        ASCII: 0;09..+.....0..-http://rapidssl-aia.geotrust.com/rapidssl.crt
                        Hexdump: 303b303906082b06010505073002862d687474703a2f2f726170696473736c2d6169612e67656f74727573742e636f6d2f726170696473736c2e637274
        Signature Algorithm: RSA-SHA1
        Signature:
                84:98:5c:64:9a:f1:09:05:31:5c:3f:89:56:41:a4:4c
                02:3d:8c:87:db:d2:31:91:21:1b:4a:f8:a7:83:5d:2c
                8d:90:63:ff:02:b5:7e:57:9e:42:22:63:23:cb:36:6d
                d8:a5:46:a2:97:68:97:ee:b9:ce:29:b4:89:bd:13:82
                01:c3:d2:eb:81:07:16:5a:38:18:97:fe:05:22:e0:ad
                7b:b1:c8:2a:8c:47:e8:60:cc:63:ae:61:2d:5f:45:a8
                e1:b6:eb:d2:8d:03:a1:84:0e:74:1c:af:75:f8:ab:10
                09:85:31:c0:58:16:82:fd:ca:eb:4e:7c:79:4c:cb:ec
                a7:39:70:96:ce:f5:fb:56:14:5b:c6:20:f7:8b:63:b3
                f7:90:84:2f:dd:bb:99:54:86:cf:e6:38:b4:e1:f9:a2
                85:61:05:0f:6f:51:73:04:76:60:a6:b5:c9:4d:18:ee
                27:17:6a:a7:cb:d9:c4:3d:a3:8d:7e:74:5a:1d:25:41
                ad:9e:ea:41:03:d1:c3:0f:a1:62:ed:76:04:cd:1e:62
                e6:0c:77:c7:34:e4:48:6e:85:83:e1:a0:c4:62:ab:5d
                e4:21:7d:89:d8:0c:d4:e2:8f:79:86:a4:4b:09:01:79
                05:64:5c:e3:ab:2c:85:1e:b1:be:fb:93:c1:ec:42:89
Other Information:
        MD5 fingerprint:
                272480c41a073648db7fedd9066e96be
        SHA-1 fingerprint:
                70616f43e39edd64c5aedaa3f79372e654d0e30c
        Public Key Id:
                16f250574f6b2250a9caa67c53a7b59b9eefbc5c


-----BEGIN CERTIFICATE-----
MIIFBTCCA+2gAwIBAgIDAnpfMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNzE4MDcxOTM4WhcNMTYwNzE5MTYxNDIwWjCB+TEpMCcGA1UEBRMgRE44
NERCbFpLc29Mamk3UGxMSEU0UHlqNkFSUVhKLUwxCzAJBgNVBAYTAlVTMSIwIAYD
VQQKDBkqLndpa2ltZWRpYWZvdW5kYXRpb24ub3JnMRMwEQYDVQQLEwpHVDU1NjE0
NzIyMTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJjZXMvY3Bz
IChjKTExMS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgLSBSYXBp
ZFNTTChSKTEiMCAGA1UEAwwZKi53aWtpbWVkaWFmb3VuZGF0aW9uLm9yZzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMN5p+DMX3vMEFvS64gNVe5m2mN8
DXMZ6ASFldF/sa76kmDIjHmZclvGQnKAubWaEWpDD9Hzx4eEeV1WVrWX+S45WmEY
i0+DVpQ4MESpQ3kf7T827zNhIcr645A+yVIYbsU9JBlSp5DtdXq0b0DlWFd1dVSi
ugdcJldmfNRG84L+ySm+hr48otfkblo6/nffdoWXeQgAa2b9vv0d5fU2FnySoxIX
sPVymnpr5NgxQnA+hLSMrmnCKTSxicdghfQuM4oaSlAm3U17NHGFAh5vHY/x27Lg
bAWlsJjBdDktBJ3LUYA22ei7P3YnAcll9NXdBP4e9w7CxFmEyLEEccj2qrsCAwEA
AaOCAVAwggFMMB8GA1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwPQYDVR0R
BDYwNIIZKi53aWtpbWVkaWFmb3VuZGF0aW9uLm9yZ4IXd2lraW1lZGlhZm91bmRh
dGlvbi5vcmcwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3JhcGlkc3NsLWNybC5n
ZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0OBBYEFBbyUFdPayJQ
qcqmfFOntZue77xcMAwGA1UdEwEB/wQCMAAwSQYIKwYBBQUHAQEEPTA7MDkGCCsG
AQUFBzAChi1odHRwOi8vcmFwaWRzc2wtYWlhLmdlb3RydXN0LmNvbS9yYXBpZHNz
bC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAISYXGSa8QkFMVw/iVZBpEwCPYyH29Ix
kSEbSving10sjZBj/wK1fleeQiJjI8s2bdilRqKXaJfuuc4ptIm9E4IBw9LrgQcW
WjgYl/4FIuCte7HIKoxH6GDMY65hLV9FqOG269KNA6GEDnQcr3X4qxAJhTHAWBaC
/crrTnx5TMvspzlwls71+1YUW8Yg94tjs/eQhC/du5lUhs/mOLTh+aKFYQUPb1Fz
BHZgprXJTRjuJxdqp8vZxD2jjX50Wh0lQa2e6kED0cMPoWLtdgTNHmLmDHfHNORI
boWD4aDEYqtd5CF9idgM1OKPeYakSwkBeQVkXOOrLIUesb77k8HsQok=
-----END CERTIFICATE-----

$ host upload.wikimedia.org
upload.wikimedia.org is an alias for upload.esams.wikimedia.org.
upload.esams.wikimedia.org has address 91.198.174.234
upload.esams.wikimedia.org has IPv6 address 2620:0:862:1::80:2


When using the IPv4 address a valid certificate is provided.

This is especially annoying because I get certificate warnings every time I vistit a wikipedia page via https.

Please let me know If you need any additional information.
Comment 1 Brion Vibber 2011-10-19 18:35:49 UTC 
Filed in ops' internal RT tracker: http://rt.wikimedia.org/Ticket/Display.html?id=1763
Comment 2 Liangent 2012-05-14 15:26:10 UTC 
Seems resolved now, maybe in the overall SSL deployment?

$ curl -v https://upload.wikimedia.org/
* About to connect() to upload.wikimedia.org port 443 (#0)
*   Trying 2620:0:862:1::80:2...
* connected
* Connected to upload.wikimedia.org (2620:0:862:1::80:2) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* 	 subject: serialNumber=3Te2KNVS3beWLBffkE0QtVQ4qxo3Ix10; C=US; O=*.wikimedia.org; OU=GT11518520; OU=See www.rapidssl.com/resources/cps (c)10; OU=Domain Control Validated - RapidSSL(R); CN=*.wikimedia.org
* 	 start date: 2010-08-03 15:43:56 GMT
* 	 expire date: 2015-08-22 22:23:10 GMT
* 	 subjectAltName: upload.wikimedia.org matched
* 	 issuer: C=US; O=Equifax; OU=Equifax Secure Certificate Authority
* 	 SSL certificate verify ok.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links