Ignore SSL server_name extension alerts (Bug 7127374)

Bernd Eckenfels bernd-2013 at eckenfels.net
Sun Jan 20 23:25:08 UTC 2013 

Hello,

quite some time back I reported a bug, that the SSLSocket of Java will  
terminate connections to servers which respond with a unrecognized_name  
alert.

	http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7127374

This was introduced since the SSLSocket started to send the SNI extension  
record in the client hello. My bug was closed without giving me the chance  
to comment on the analysis, so I will do that here now:

The sample SSL Server on timestamp.geotrust.com:443 (still) responds with  
a unrecognized_name alert when you sent a SNI extension. (It is most  
likely wronly configured, since there are a lot of different CA francises  
behind that infrastructure).

However the alert which is received by the SSL client is only a warning  
level, and it could be ignored by the SSL library. openssl or web browsers  
do continue if they get such a warning. I would argue the same should  
happen for Java.

In fact I wonder if we need a API for SSLSockets which allow to set more  
options like

- what extensions to send
- what warnings to accept
- what type of renegotiation (and how often) is allowed

It should also have a getWarnings() method (similiar to JDBC).

BTW: the class SimpleBIOSSLClient on

https://github.com/ecki/JavaCryptoTest/tree/master/src/main/java/net/eckenfels/test/ssl

will try to do a SSL handshake with hardcoded code and print the output.  
If you connect that to the geotrust server you can clearly see, that the  
handshake received is a warning and the endpoint continues with further  
handshake steps. (see output below). The client is not completed yet, so  
the Finish message is not valid yet, so this is why you see a second  
(fatal) alert.

I think ignoring the unrecognized_name alert is no security problem, as  
you will verify the endpoint via the received certificate anway.

>>> Record type=22 version=3.1 len=118
   Handshake client_hello len=114
     bytes=03 01 ff ff ff ff 11 22 33 44 11 22 33 44 11 22 33 44 11 22 33  
44 11 22 33 44 11 22 33 44 11 22 33 44 00 00 2a 00 0a 00 07 00 05 00 04 00  
39 00 13 00 66 00 65 00 64 00 63 00 62 00 61 00 60 00 15 00 12 00 09 00 14  
00 11 00 08 00 06 00 03 01 00 00 1f 00 00 00 1b 00 19 00 00 16 74 69 6d 65  
73 74 61 6d 70 2e 67 65 6f 74 72 75 73 74 2e 63 6f 6d
<<< Record type=22 version=3.1 len=80
   Handshake server_hello len=76
     Version=3.1
     serverrandom=50 fc 7b 24 28 ac 20 67 2b 6a b9 e7 63 b8 75 7b 41 d3 1f  
5c ad 73 7f ff 17 38 91 4d 94 02 48 ff
     session  =32/6a d8 1d c4 7d 7f d3 17 82 55 bd 32 9b cf 17 d5 35 55 ff  
0b c0 ff 5b e2 60 cc 16 db a1 e7 91 77
     suite=10 compression=0
     bytes=00 04 00 00 00 00
<<< Record type=22 version=3.1 len=876
   Handshake certificate len=872
     listlen=869
       DN=CN=timestamp.geotrust.com, OU=Production Security Services,  
O=GeoTrust Inc., L=Mountain View, ST=California, C=US,  
SERIALNUMBER=zeSjNRSVdrWJbAzTb281UTdfbGNtENPJ RSA/500
<<< Record type=22 version=3.1 len=4
   Handshake server_hello_done len=0
>>> Record type=22 version=3.1 len=134
   Handshake client_key_exchange len=130
     bytes=00 80 78 bd f4 70 af 2e f2 d4 7c 11 74 5e 9c 51 12 63 d2 96 99  
07 3a ec 19 c5 b6 76 4a 2c da 21 d7 31 6c c6 6e 8a 70 73 80 1f dd 7a e6 5f  
58 9b ae 29 92 8b 3c 12 fd f7 b6 8b 13 d6 fa 04 46 84 6e 05 3e 12 a4 87 90  
3f 3f 8c 5d 1b 00 65 a4 22 fa 4e 2d b4 6a ec 21 aa 8f f0 0f df 63 cb 8e 6c  
1c 05 15 35 fa 53 1d ad 3f fb 3f 3a c0 ce fb 5f 89 a7 c6 6c 1d 2b 98 20 92  
37 10 fc 0f 08 11 1d dc 22
>>> Record type=20 version=3.1 len=1
   Change Cipher Spec
     bytes=01
>>> Record type=22 version=3.1 len=36
   Handshake Encrypted
     bytes=00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
<<< Record type=21 version=3.1 len=2
   Alert len=7
     fatal(2) decryption_failed

BTW: openssl s_server has a option if the alert should be warning or  
fatal, so it can be expected the servers decide for themself if they want  
to continue or not.

Greetings
Bernd

PS: there are more affected than only the above time stamping authority  
(and jarsigner):
-  
http://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade-to-java-1-7-0
- http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7177232

-- 
http://bernd.eckenfels.net

More information about the security-dev mailing list