[openssl-users] How to send alert in handshake?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jun 27 15:57:01 UTC 2018



> On Jun 27, 2018, at 9:12 AM, Matt Caswell <matt at openssl.org> wrote:
> 
> Note though that RFC 3546 that you reference is obsolete. It was
> obsoleted by RFC 4366, which itself was obsoleted by RFC 6066. That last
> RFC has this to say about fatal vs warning alerts:
> 
>   If the server understood the ClientHello extension but
>   does not recognize the server name, the server SHOULD take one of two
>   actions: either abort the handshake by sending a fatal-level
>   unrecognized_name(112) alert or continue the handshake.  It is NOT
>   RECOMMENDED to send a warning-level unrecognized_name(112) alert,
>   because the client's behavior in response to warning-level alerts is
>   unpredictable.  If there is a mismatch between the server name used
>   by the client application and the server name of the credential
>   chosen by the server, this mismatch will become apparent when the
>   client application performs the server endpoint identification, at
>   which point the client application will have to decide whether to
>   proceed with the communication.

What this means is that you really should NOT send alerts, and either
select a matching certificate chain, or else let the server proceed
with the default certificate chain.  Don't abort the connection just
because the SNI did not match.  Some clients accept more than one
server name, but can only send one name in the SNI.  The default
chain may also be acceptable.

-- 
	Viktor.



More information about the openssl-users mailing list