Ignore SSL server_name extension alerts (Bug 7127374) (original) (raw)

Bernd Eckenfels bernd-2013 at eckenfels.net
Mon Jan 21 04:12:32 UTC 2013

Hello,

Am 21.01.2013, 00:25 Uhr, schrieb Bernd Eckenfels
<bernd-2013 at eckenfels.net>:

bytes=03 01 ff ff ff ff 11 22 33 44 11 22 33 44 11 22 33 44 11 22 33 44 11 22 33 44 11 22 33 44 11 22 33 44 00 00 2a 00 0a 00 07 00 05 00 04 00 39 00 13 00 66 00 65 00 64 00 63 00 62 00 61 00 60 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 01 00 00 1f 00 00 00 1b 00 19 00 00 16 74 69 6d 65 73 74 61 6d 70 2e 67 65 6f 74 72 75 73 74 2e 63 6f 6d

It seems like while I was testing this the server was fixed, the warning I
saw on the console in the first try did not show up in the next, and was
therefore not in the pasted text... strange.

Using the correct name now skips the warning alert:

#Connecting timestamp.geotrust.com:443 sni=timestamp.geotrust.com #>>> Record type=22 version=3.1 len=118

Handshake client_hello len=114

bytes=03 01 ff ff ff ff 11 22 33 44 11 22 33 44 11 22 33 44 11 22 33

44 11 22 33 44 11 22 33 44 11 22 33 44 00 00 2a 00 0a 00 07 00 05 00 04 00
39 00 13 00 66 00 65 00 64 00 63 00 62 00 61 00 60 00 15 00 12 00 09 00 14
00 11 00 08 00 06 00 03 01 00 00 1f 00 00 00 1b 00 19 00 00 16 74 69 6d 65
73 74 61 6d 70 2e 67 65 6f 74 72 75 73 74 2e 63 6f 6d #<<< Record type=22 version=3.1 len=80

Handshake server_hello len=76

If I sent a wrong SNI, the warning is still received:

#Connecting timestamp.geotrust.com:443 sni=timestamp.geotrust2.com #>>> Record type=22 version=3.1 len=119

Handshake client_hello len=115

bytes=03 01 ff ff ff ff 11 22 33 44 11 22 33 44 11 22 33 44 11 22 33

44 11 22 33 44 11 22 33 44 11 22 33 44 00 00 2a 00 0a 00 07 00 05 00 04 00
39 00 13 00 66 00 65 00 64 00 63 00 62 00 61 00 60 00 15 00 12 00 09 00 14
00 11 00 08 00 06 00 03 01 00 00 20 00 00 00 1c 00 1a 00 00 17 74 69 6d 65
73 74 61 6d 70 2e 67 65 6f 74 72 75 73 74 32 2e 63 6f 6d

<<< Record type=21 version=3.1 len=2

Alert len=7

warning(1) unrecognized_name

#<<< Record type=22 version=3.1 len=80

Handshake server_hello len=76

Same behaviour on my (apache) server:

#Connecting neskaya.eckenfels.com:443 sni=neskaya.eckenfels.com #>>> Record type=22 version=3.1 len=117

Handshake client_hello len=113

bytes=03 01 ff ff ff ff 11 22 33 44 11 22 33 44 11 22 33 44 11 22 33

44 11 22 33 44 11 22 33 44 11 22 33 44 00 00 2a 00 0a 00 07 00 05 00 04 00
39 00 13 00 66 00 65 00 64 00 63 00 62 00 61 00 60 00 15 00 12 00 09 00 14
00 11 00 08 00 06 00 03 01 00 00 1e 00 00 00 1a 00 18 00 00 15 6e 65 73 6b
61 79 61 2e 65 63 6b 65 6e 66 65 6c 73 2e 63 6f 6d #<<< Record type=22 version=3.1 len=80

Handshake server_hello len=76

here is an alias which is not properly configured on the server and sends
the alert (but it is the alias the certificate is verified, so in case of
a web browser there will be no warning - but Java aborts)

#Connecting www.eckenfels.com:443 sni=www.eckenfels.com #>>> Record type=22 version=3.1 len=113

Handshake client_hello len=109

bytes=03 01 ff ff ff ff 11 22 33 44 11 22 33 44 11 22 33 44 11 22 33

44 11 22 33 44 11 22 33 44 11 22 33 44 00 00 2a 00 0a 00 07 00 05 00 04 00
39 00 13 00 66 00 65 00 64 00 63 00 62 00 61 00 60 00 15 00 12 00 09 00 14
00 11 00 08 00 06 00 03 01 00 00 1a 00 00 00 16 00 14 00 00 11 77 77 77 2e
65 63 6b 65 6e 66 65 6c 73 2e 63 6f 6d #<<< Record type=21 version=3.1 len=2

Alert len=7

warning(1) unrecognized_name

#<<< Record type=22 version=3.1 len=80

Handshake server_hello len=76

Sorry for the confusion. (the new SimpleBIOSSLClient version which allows
3 arguments is now on github)

Bernd

More information about the security-dev mailing list