You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
34 lines
1.7 KiB
34 lines
1.7 KiB
--- a/modules/ssl/ssl_engine_kernel.c 2015/06/09 15:55:41 1684461 |
|
+++ b/modules/ssl/ssl_engine_kernel.c 2015/06/09 16:09:28 1684462 |
|
@@ -1940,7 +1940,7 @@ |
|
#ifndef OPENSSL_NO_TLSEXT |
|
/* |
|
* This callback function is executed when OpenSSL encounters an extended |
|
- * client hello with a server name indication extension ("SNI", cf. RFC 4366). |
|
+ * client hello with a server name indication extension ("SNI", cf. RFC 6066). |
|
*/ |
|
int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx) |
|
{ |
|
@@ -1962,7 +1962,21 @@ |
|
"No matching SSL virtual host for servername " |
|
"%s found (using default/first virtual host)", |
|
servername); |
|
- return SSL_TLSEXT_ERR_ALERT_WARNING; |
|
+ /* |
|
+ * RFC 6066 section 3 says "It is NOT RECOMMENDED to send |
|
+ * a warning-level unrecognized_name(112) alert, because |
|
+ * the client's behavior in response to warning-level alerts |
|
+ * is unpredictable." |
|
+ * |
|
+ * To maintain backwards compatibility in mod_ssl, we |
|
+ * no longer send any alert (neither warning- nor fatal-level), |
|
+ * i.e. we take the second action suggested in RFC 6066: |
|
+ * "If the server understood the ClientHello extension but |
|
+ * does not recognize the server name, the server SHOULD take |
|
+ * one of two actions: either abort the handshake by sending |
|
+ * a fatal-level unrecognized_name(112) alert or continue |
|
+ * the handshake." |
|
+ */ |
|
} |
|
} |
|
}
|
|
|