Hi Steps to reproduce :
host_1.domain.com resolves to IP_ADDR_1 (v4) and IP_ADDR_2 (v6) host_2.domain.com resolves to IP_ADDR_1 (v4). both servers support SPDY/ HTTP2 and share the sam wildcard SSL certificate for *.domain.com User opening secure HTTPS connection to https://host_1.domain.com and FF successfully opening a page, connecting to IP_ADDR_2 (because IPv6 usually preferred over IPv4 connections). After that user trying to open URL https://host_2.domain.com, but FireFox will NOT connect to IP_ADDR_1 !!!! Instead, FireFox is going to reuse it's existing connection to IP_ADDR_2 (despite the fact it does NOT belong to host_2.domain.com). There is a bug opened for that (https://bugzilla.mozilla.org/show_bug.cgi?id=1190136), but for some reason Patrick McManus continue to claim that such behaviour is completely normal and by design. Patrick claims that the fact that both domains are sharing "IP_ADDR_1", it is also "Ok" to assume that all the rest of IP addresses of host_1 can be used to send requests to host_2. To me it sounds like a complete nonsense and such behaviour most likely will lead to MITM vulnerability. I would like to move the discussion to here, what do you think should be correct behaviour for FF in described case ? Regards, Yuri _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
