Ignore SSL server_name extension alerts (Bug 7127374)
Bernd Eckenfels
bernd-2013 at eckenfels.net
Sun Jan 20 20:12:32 PST 2013
Hello,
Am 21.01.2013, 00:25 Uhr, schrieb Bernd Eckenfels
<bernd-2013 at eckenfels.net>:
> bytes=03 01 ff ff ff ff 11 22 33 44 11 22 33 44 11 22 33 44 11 22
> 33 44 11 22 33 44 11 22 33 44 11 22 33 44 00 00 2a 00 0a 00 07 00 05 00
> 04 00 39 00 13 00 66 00 65 00 64 00 63 00 62 00 61 00 60 00 15 00 12 00
> 09 00 14 00 11 00 08 00 06 00 03 01 00 00 1f 00 00 00 1b 00 19 00 00 16
> 74 69 6d 65 73 74 61 6d 70 2e 67 65 6f 74 72 75 73 74 2e 63 6f 6d
It seems like while I was testing this the server was fixed, the warning I
saw on the console in the first try did not show up in the next, and was
therefore not in the pasted text... strange.
Using the correct name now skips the warning alert:
#Connecting timestamp.geotrust.com:443 sni=timestamp.geotrust.com
#>>> Record type=22 version=3.1 len=118
# Handshake client_hello len=114
# bytes=03 01 ff ff ff ff 11 22 33 44 11 22 33 44 11 22 33 44 11 22 33
44 11 22 33 44 11 22 33 44 11 22 33 44 00 00 2a 00 0a 00 07 00 05 00 04 00
39 00 13 00 66 00 65 00 64 00 63 00 62 00 61 00 60 00 15 00 12 00 09 00 14
00 11 00 08 00 06 00 03 01 00 00 1f 00 00 00 1b 00 19 00 00 16 74 69 6d 65
73 74 61 6d 70 2e 67 65 6f 74 72 75 73 74 2e 63 6f 6d
#<<< Record type=22 version=3.1 len=80
# Handshake server_hello len=76
If I sent a wrong SNI, the warning is still received:
#Connecting timestamp.geotrust.com:443 sni=timestamp.geotrust2.com
#>>> Record type=22 version=3.1 len=119
# Handshake client_hello len=115
# bytes=03 01 ff ff ff ff 11 22 33 44 11 22 33 44 11 22 33 44 11 22 33
44 11 22 33 44 11 22 33 44 11 22 33 44 00 00 2a 00 0a 00 07 00 05 00 04 00
39 00 13 00 66 00 65 00 64 00 63 00 62 00 61 00 60 00 15 00 12 00 09 00 14
00 11 00 08 00 06 00 03 01 00 00 20 00 00 00 1c 00 1a 00 00 17 74 69 6d 65
73 74 61 6d 70 2e 67 65 6f 74 72 75 73 74 32 2e 63 6f 6d
# <<< Record type=21 version=3.1 len=2
# Alert len=7
# warning(1) unrecognized_name
#<<< Record type=22 version=3.1 len=80
# Handshake server_hello len=76
Same behaviour on my (apache) server:
#Connecting neskaya.eckenfels.com:443 sni=neskaya.eckenfels.com
#>>> Record type=22 version=3.1 len=117
# Handshake client_hello len=113
# bytes=03 01 ff ff ff ff 11 22 33 44 11 22 33 44 11 22 33 44 11 22 33
44 11 22 33 44 11 22 33 44 11 22 33 44 00 00 2a 00 0a 00 07 00 05 00 04 00
39 00 13 00 66 00 65 00 64 00 63 00 62 00 61 00 60 00 15 00 12 00 09 00 14
00 11 00 08 00 06 00 03 01 00 00 1e 00 00 00 1a 00 18 00 00 15 6e 65 73 6b
61 79 61 2e 65 63 6b 65 6e 66 65 6c 73 2e 63 6f 6d
#<<< Record type=22 version=3.1 len=80
# Handshake server_hello len=76
here is an alias which is not properly configured on the server and sends
the alert (but it is the alias the certificate is verified, so in case of
a web browser there will be no warning - but Java aborts)
#Connecting www.eckenfels.com:443 sni=www.eckenfels.com
#>>> Record type=22 version=3.1 len=113
# Handshake client_hello len=109
# bytes=03 01 ff ff ff ff 11 22 33 44 11 22 33 44 11 22 33 44 11 22 33
44 11 22 33 44 11 22 33 44 11 22 33 44 00 00 2a 00 0a 00 07 00 05 00 04 00
39 00 13 00 66 00 65 00 64 00 63 00 62 00 61 00 60 00 15 00 12 00 09 00 14
00 11 00 08 00 06 00 03 01 00 00 1a 00 00 00 16 00 14 00 00 11 77 77 77 2e
65 63 6b 65 6e 66 65 6c 73 2e 63 6f 6d
#<<< Record type=21 version=3.1 len=2
# Alert len=7
# warning(1) unrecognized_name
#<<< Record type=22 version=3.1 len=80
# Handshake server_hello len=76
Sorry for the confusion. (the new SimpleBIOSSLClient version which allows
3 arguments is now on github)
Bernd
More information about the security-dev
mailing list