https://issues.apache.org/bugzilla/show_bug.cgi?id=56241
Bug ID: 56241
Summary: SNI sends warning upon name not found, RFC 6066
discourages this
Product: Apache httpd-2
Version: 2.4.7
Hardware: PC
OS: Linux
Status: NEW
Severity: minor
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
The current TLS SNI spec (RFC 6066) no longer recommends sending back a TLS
warning if the name couldn't be found because this is being interpreted as a
fatal error by many older SSL libraries with semi-broken SNI support.
"It is NOT RECOMMENDED to send a warning-level unrecognized_name(112) alert,
because the client's behavior in response to warning-level alerts is
unpredictable."
I assume this is as simple as changing line 1943 of ssl_engine_kernel.c to say
NOACK instead of WARNING:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?view=markup#l1918
This is particularly noticeable if for some reason someone is using a short DNS
name (eg https://issues/ instead of https://issues.apache.org/) with one of the
broken SSL libraries that has semi-functional SNI support.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
