diff options
author | Rob Crittenden <rcritten@redhat.com> | 2016-01-14 22:56:55 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2016-01-15 13:16:15 -0500 |
commit | a8711ee2d0d00d42b748f689c7595d1e519e3d2f (patch) | |
tree | 8ea62d6ef7432a87e9049aa6fe55dcdd572b7f33 /nss_engine_vars.c | |
parent | dbc71f2ff451b35a394adb0c145ddb15edc853e6 (diff) | |
download | mod_nss-a8711ee2d0d00d42b748f689c7595d1e519e3d2f.tar.gz mod_nss-a8711ee2d0d00d42b748f689c7595d1e519e3d2f.tar.xz mod_nss-a8711ee2d0d00d42b748f689c7595d1e519e3d2f.zip |
Don't send alert on SNI lookup failure to accomodate older clients
RFC 6066 section 3 says "It is NOT RECOMMENDED to
send a warning-level unrecognized_name(112) alert,
because the client's behavior in response to warning-level
alerts is unpredictable."
To maintain compatibility with mod_ssl, we will not send
any alert (neither warning- nor fatal-level),
i.e. we take the second action suggested in RFC.
"If the server understood the ClientHello extension
but does not recognize the server name, the server
SHOULD take one of two actions: either abort the handshake by
sending a fatal-level unrecognized_name(112) alert or
continue the handshake."
This is based on mod_ssl commit r1684462
Diffstat (limited to 'nss_engine_vars.c')
0 files changed, 0 insertions, 0 deletions