Bug 1015621 - OpenSSL 0.9.8 doesn't handle SNI errors correctly
OpenSSL 0.9.8 doesn't handle SNI errors correctly
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openssl (Show other bugs)
5.11
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-04 11:56 EDT by Shabba
Modified: 2013-10-31 06:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-31 06:37:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Shabba 2013-10-04 11:56:07 EDT
Description of problem:

An application linked against OpenSSL on RHEL 5 that makes a connection to a remote host, with the expectation of using SNI to specify the hostname, will experience a client-side disconnect which causes the connection to fail if the server responds that the hostname is not found/valid.  The desired behavior is to have a warning generated because this scenario can occur normally if there is a proxy or similar device in between.  The following URL has the details:

http://comments.gmane.org/gmane.comp.encryption.openssl.devel/22621


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Have an application connect to a remote host using https and issue a hostname via SNI that you know does not exist.
2. The connection will fail.


Actual results:
 SSL3 alert read:warning:unknown
 SSL_connect:error in SSLv2/v3 read server hello A
 7632:error:14077458:SSL 

Expected results:

Ideally have it behave like OpenSSL 1.0:

 SSL3 alert read:warning:unrecognized name
 SSL3 alert write:warning:close notify

Additional info:

https://rt.openssl.org/Ticket/Display.html?id=3038&user=guest&pass=guest
http://stackoverflow.com/questions/8619706/running-curl-with-openssl-0-9-8-against-openssl-1-0-0-server-causes-handshake-er
Comment 1 Tomas Mraz 2013-10-31 06:37:21 EDT
This Bugzilla has been reviewed by Red Hat and is not planned on being
addressed in Red Hat Enterprise Linux 5, and therefore will be closed.
If this bug is critical to production systems, please contact your Red
Hat support representative and provide sufficient business
justification. Issue is already fixed in RHEL-6/7.

Note You need to log in before you can comment on or make changes to this bug.