diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2016-01-14 22:56:55 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2016-01-15 13:16:15 -0500 |
| commit | a8711ee2d0d00d42b748f689c7595d1e519e3d2f (patch) | |
| tree | 8ea62d6ef7432a87e9049aa6fe55dcdd572b7f33 | |
| parent | dbc71f2ff451b35a394adb0c145ddb15edc853e6 (diff) | |
| download | mod_nss-a8711ee2d0d00d42b748f689c7595d1e519e3d2f.tar.gz mod_nss-a8711ee2d0d00d42b748f689c7595d1e519e3d2f.tar.xz mod_nss-a8711ee2d0d00d42b748f689c7595d1e519e3d2f.zip | |
Don't send alert on SNI lookup failure to accomodate older clients
RFC 6066 section 3 says "It is NOT RECOMMENDED to
send a warning-level unrecognized_name(112) alert,
because the client's behavior in response to warning-level
alerts is unpredictable."
To maintain compatibility with mod_ssl, we will not send
any alert (neither warning- nor fatal-level),
i.e. we take the second action suggested in RFC.
"If the server understood the ClientHello extension
but does not recognize the server name, the server
SHOULD take one of two actions: either abort the handshake by
sending a fatal-level unrecognized_name(112) alert or
continue the handshake."
This is based on mod_ssl commit r1684462
| -rw-r--r-- | nss_engine_init.c | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/nss_engine_init.c b/nss_engine_init.c index 95a5867..c218598 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -1731,9 +1731,6 @@ PRInt32 nssSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr, { server_rec *s = (server_rec *)arg; - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "nssSSLSNISocketConfig"); - void *pinArg; CERTCertificate *cert = NULL; SECKEYPrivateKey *privKey = NULL; @@ -1758,8 +1755,25 @@ PRInt32 nssSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr, nickName = searchHashVhostbyNick_match(vhost); if (nickName == NULL) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "SNI: Search for %s failed. Unrecognized name.", vhost); - goto loser; + "SNI: No matching SSL virtual host for servername " + "%s found (using default/first virtual host)", + vhost); + /* + * RFC 6066 section 3 says "It is NOT RECOMMENDED to send + * a warning-level unrecognized_name(112) alert, because + * the client's behavior in response to warning-level alerts + * is unpredictable." + * + * To maintain compatibility with mod_ssl, we won't send + * any alert (neither warning- nor fatal-level), + * i.e. we take the second action suggested in RFC 6066: + * "If the server understood the ClientHello extension but + * does not recognize the server name, the server SHOULD take + * one of two actions: either abort the handshake by sending + * a fatal-level unrecognized_name(112) alert or continue + * the handshake." + */ + return 0; } } |