Bring SNI behavior into better conformance with RFC 6066:

- no longer send a warning-level unrecognized_name(112) alert when no matching vhost is found (PR 56241) - at startup, only issue warnings about IP/port conflicts and name-based SSL vhosts when running with an OpenSSL without TLS extension support (almost 5 years after SNI was added to 2.2.x, the "[...] only work for clients with TLS server name indication support" warning feels obsolete) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1585090 13f79535-47bb-0310-9956-ffa450edef68
2025-08-07 04:02:58 +03:00 · 2014-04-05 12:57:43 +00:00
parent edbbc1acda
commit cbba0dbc00
3 changed files with 37 additions and 25 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1918,7 +1918,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
 #ifdef HAVE_TLSEXT
 /*
 * This callback function is executed when OpenSSL encounters an extended
- * client hello with a server name indication extension ("SNI", cf. RFC 4366).
+ * client hello with a server name indication extension ("SNI", cf. RFC 6066).
 */
 int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
 {
@@ -1940,7 +1940,21 @@ int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
                              "No matching SSL virtual host for servername "
                              "%s found (using default/first virtual host)",
                              servername);
-                return SSL_TLSEXT_ERR_ALERT_WARNING;
+                /*
+                 * RFC 6066 section 3 says "It is NOT RECOMMENDED to send
+                 * a warning-level unrecognized_name(112) alert, because
+                 * the client's behavior in response to warning-level alerts
+                 * is unpredictable."
+                 *
+                 * To maintain backwards compatibility in mod_ssl, we
+                 * no longer send any alert (neither warning- nor fatal-level),
+                 * i.e. we take the second action suggested in RFC 6066:
+                 * "If the server understood the ClientHello extension but
+                 * does not recognize the server name, the server SHOULD take
+                 * one of two actions: either abort the handshake by sending
+                 * a fatal-level unrecognized_name(112) alert or continue
+                 * the handshake."
+                 */
            }
        }
    }