Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert

Martin Rex <> Fri, 04 June 2010 19:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 026433A6823 for <>; Fri, 4 Jun 2010 12:51:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.828
X-Spam-Status: No, score=-7.828 tagged_above=-999 required=5 tests=[AWL=0.562, BAYES_20=-0.74, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DS1YSEO49Rz9 for <>; Fri, 4 Jun 2010 12:51:25 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CF0703A677D for <>; Fri, 4 Jun 2010 12:51:24 -0700 (PDT)
Received: from by (26) with ESMTP id o54Jp6Or019685 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 4 Jun 2010 21:51:06 +0200 (MEST)
From: Martin Rex <>
Message-Id: <>
To: (Joseph Salowey)
Date: Fri, 4 Jun 2010 21:51:05 +0200 (MEST)
In-Reply-To: <> from "Joseph Salowey" at Jun 4, 10 10:37:02 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Subject: Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Jun 2010 19:51:26 -0000

Joseph Salowey wrote:
> The discussion in 5246 indicates that the warning messages are
> unpredictable.  I don't think we can solve this problem in this document
> so we wither discourage the warning in this case or we just explain the
> unpredictability.  Below are two proposed text change to paragraph after
> the structure definition in section 3 in draft-ietf-tls-rfc4366-bis-08.
> Let me know which you prefer soon as we need to get this document
> finished, because other documents are waiting on it.  

I do agree that we're talking about an extension (SNI) and an alert
for an existing spec (rfc4366) and an existing installed base,
so describing the risk of sending a warning-level "unrecognized_name"
alert to clients is sensible and appreciated.

Still, I think we have to document what _clients_ SHOULD and SHOULD NOT
do when receiving a warning-level "unrecognized_name" alert.  This was,
and still is not clear from the specification, rather it is essentially
undefined  (it is _not_ implementation defined, because a server
can not reliably distinguish individual peer client implementations by
looking at the contents of the ClientHello handshake message it sent).