Blame SOURCES/httpd-2.4.6-r1684462.patch
|
 |
41a6c3 |
--- a/modules/ssl/ssl_engine_kernel.c 2015/06/09 15:55:41 1684461
|
|
|
41a6c3 |
+++ b/modules/ssl/ssl_engine_kernel.c 2015/06/09 16:09:28 1684462
|
|
|
41a6c3 |
@@ -1940,7 +1940,7 @@
|
|
|
41a6c3 |
#ifndef OPENSSL_NO_TLSEXT
|
|
|
41a6c3 |
/*
|
|
|
41a6c3 |
* This callback function is executed when OpenSSL encounters an extended
|
|
|
41a6c3 |
- * client hello with a server name indication extension ("SNI", cf. RFC 4366).
|
|
|
41a6c3 |
+ * client hello with a server name indication extension ("SNI", cf. RFC 6066).
|
|
|
41a6c3 |
*/
|
|
|
41a6c3 |
int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
|
|
|
41a6c3 |
{
|
|
|
41a6c3 |
@@ -1962,7 +1962,21 @@
|
|
|
41a6c3 |
"No matching SSL virtual host for servername "
|
|
|
41a6c3 |
"%s found (using default/first virtual host)",
|
|
|
41a6c3 |
servername);
|
|
|
41a6c3 |
- return SSL_TLSEXT_ERR_ALERT_WARNING;
|
|
|
41a6c3 |
+ /*
|
|
|
41a6c3 |
+ * RFC 6066 section 3 says "It is NOT RECOMMENDED to send
|
|
|
41a6c3 |
+ * a warning-level unrecognized_name(112) alert, because
|
|
|
41a6c3 |
+ * the client's behavior in response to warning-level alerts
|
|
|
41a6c3 |
+ * is unpredictable."
|
|
|
41a6c3 |
+ *
|
|
|
41a6c3 |
+ * To maintain backwards compatibility in mod_ssl, we
|
|
|
41a6c3 |
+ * no longer send any alert (neither warning- nor fatal-level),
|
|
|
41a6c3 |
+ * i.e. we take the second action suggested in RFC 6066:
|
|
|
41a6c3 |
+ * "If the server understood the ClientHello extension but
|
|
|
41a6c3 |
+ * does not recognize the server name, the server SHOULD take
|
|
|
41a6c3 |
+ * one of two actions: either abort the handshake by sending
|
|
|
41a6c3 |
+ * a fatal-level unrecognized_name(112) alert or continue
|
|
|
41a6c3 |
+ * the handshake."
|
|
|
41a6c3 |
+ */
|
|
|
41a6c3 |
}
|
|
|
41a6c3 |
}
|
|
|
41a6c3 |
}
|