Bug 1015621

Summary: OpenSSL 0.9.8 doesn't handle SNI errors correctly
Product: Red Hat Enterprise Linux 5 Reporter: Shabba <ispcolohost>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.11   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-31 10:37:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Shabba 2013-10-04 15:56:07 UTC
Description of problem:

An application linked against OpenSSL on RHEL 5 that makes a connection to a remote host, with the expectation of using SNI to specify the hostname, will experience a client-side disconnect which causes the connection to fail if the server responds that the hostname is not found/valid.  The desired behavior is to have a warning generated because this scenario can occur normally if there is a proxy or similar device in between.  The following URL has the details:

http://comments.gmane.org/gmane.comp.encryption.openssl.devel/22621


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Have an application connect to a remote host using https and issue a hostname via SNI that you know does not exist.
2. The connection will fail.


Actual results:
 SSL3 alert read:warning:unknown
 SSL_connect:error in SSLv2/v3 read server hello A
 7632:error:14077458:SSL 

Expected results:

Ideally have it behave like OpenSSL 1.0:

 SSL3 alert read:warning:unrecognized name
 SSL3 alert write:warning:close notify

Additional info:

https://rt.openssl.org/Ticket/Display.html?id=3038&user=guest&pass=guest
http://stackoverflow.com/questions/8619706/running-curl-with-openssl-0-9-8-against-openssl-1-0-0-server-causes-handshake-er

Comment 1 Tomas Mraz 2013-10-31 10:37:21 UTC
This Bugzilla has been reviewed by Red Hat and is not planned on being
addressed in Red Hat Enterprise Linux 5, and therefore will be closed.
If this bug is critical to production systems, please contact your Red
Hat support representative and provide sufficient business
justification. Issue is already fixed in RHEL-6/7.