Bug 1298148

Summary: httpd: SNI sends warning upon name not found, RFC 6066 discourages this
Product: Red Hat Enterprise Linux 7 Reporter: Martin Frodl <mfrodl>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Martin Frodl <mfrodl>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: akarlsso, bnater, dmasirka, isenfeld, jkaluza, jorton, ohudlick, ovasik, pdwyer, rsussman, tom
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd-2.4.6-41.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1289096 Environment:
Last Closed: 2016-11-04 08:10:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1203710, 1295829, 1313485    

Description Martin Frodl 2016-01-13 10:46:36 UTC 
+++ This bug was initially created as a clone of Bug #1289096 +++

Description of problem:

Aged and/or broken TLS clients (notably java clients) behave unpredictably when responding with a SNI TLS warning and they assume it is an error. In order to work around these older and broken clients, RFC 6066 now recommends *not* sending a warning.

Version-Release number of selected component (if applicable):

httpd-2.4.6-40.el7.x86_64

How reproducible:

With the right broken clients, very.

Steps to Reproduce:

Do not have a self-contained reproducer I am afraid, but https://bz.apache.org/bugzilla/show_bug.cgi?id=56241 should show in detail what the problem is.

Actual results:

Clients suffer connection problems.

Expected results:

Clients does not suffer connection problems.

Additional info:

Have already discussed this with Joe Orton on IRC a couple weeks back.
Comment 2 Paul Dwyer 2016-01-26 16:54:56 UTC 
*** Bug 1302050 has been marked as a duplicate of this bug. ***
Comment 9 errata-xmlrpc 2016-11-04 08:10:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2534.html