Red Hat Bugzilla – Bug 1015621
OpenSSL 0.9.8 doesn't handle SNI errors correctly
Last modified: 2013-10-31 06:37:21 EDT
Description of problem:
An application linked against OpenSSL on RHEL 5 that makes a connection to a remote host, with the expectation of using SNI to specify the hostname, will experience a client-side disconnect which causes the connection to fail if the server responds that the hostname is not found/valid. The desired behavior is to have a warning generated because this scenario can occur normally if there is a proxy or similar device in between. The following URL has the details:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Have an application connect to a remote host using https and issue a hostname via SNI that you know does not exist.
2. The connection will fail.
SSL3 alert read:warning:unknown
SSL_connect:error in SSLv2/v3 read server hello A
Ideally have it behave like OpenSSL 1.0:
SSL3 alert read:warning:unrecognized name
SSL3 alert write:warning:close notify
This Bugzilla has been reviewed by Red Hat and is not planned on being
addressed in Red Hat Enterprise Linux 5, and therefore will be closed.
If this bug is critical to production systems, please contact your Red
Hat support representative and provide sufficient business
justification. Issue is already fixed in RHEL-6/7.