https://issues.apache.org/bugzilla/show_bug.cgi?id=56241
Kaspar Brand <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Hardware|PC |All Version|2.4.7 |2.4-HEAD OS|Linux |All --- Comment #1 from Kaspar Brand <[email protected]> --- (In reply to Jon from comment #0) > The current TLS SNI spec (RFC 6066) no longer recommends sending back a TLS > warning if the name couldn't be found because this is being interpreted as a > fatal error by many older SSL libraries with semi-broken SNI support. I agree that mod_ssl's current behavior still reflects RFC 4366. Specifically: If the server understood the client hello extension but does not recognize the server name, it SHOULD send an "unrecognized_name" alert (which MAY be fatal). RFC 6066 has changed this to If the server understood the ClientHello extension but does not recognize the server name, the server SHOULD take one of two actions: either abort the handshake by sending a fatal-level unrecognized_name(112) alert or continue the handshake. It is NOT RECOMMENDED to send a warning-level unrecognized_name(112) alert, because the client's behavior in response to warning-level alerts is unpredictable. For backward compatibility, I think we should take the second action ("continue the handshake"), i.e. return SSL_TLSEXT_ERR_NOACK as suggested. > I assume this is as simple as changing line 1943 of ssl_engine_kernel.c to > say NOACK instead of WARNING: We can just drop line 1943, essentially, and fall through. Did you already test this with the SSL library which is causing problems for you? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
