Public bug reported:
Apache #56241 [1] patched Apache 2.2.30 and 2.4.10 to confirm to the following
RFC
change:
RFC 4366
If the server understood the client hello extension but does not
recognize the server name, it SHOULD send an "unrecognized_name"
alert (which MAY be fatal).
RFC 6066 has changed this to
If the server understood the ClientHello extension but
does not recognize the server name, the server SHOULD take one of two
actions: either abort the handshake by sending a fatal-level
unrecognized_name(112) alert or continue the handshake. It is NOT
RECOMMENDED to send a warning-level unrecognized_name(112) alert,
because the client's behavior in response to warning-level alerts is
unpredictable.
Red Hat backported the patch in RHBA-2016:0140-1. [2]
AFAICS this patch has not been applied to 12.04 and possibly 14.04.
The NSS TLS 1.3 implementation now starts to treat `unrecognized_name` as
fatal. [3]
In light of these developments, would the Ubuntu LTS Maintainers
please consider applying the aforementioned patch to the respective branches?
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=56241
[2] https://rhn.redhat.com/errata/RHBA-2016-0140.html
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1296862
** Affects: apache2 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615410
Title:
Backport Apache #56241
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1615410/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
