Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert

Martin Rex <> Mon, 14 June 2010 14:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 219EC3A68B6 for <>; Mon, 14 Jun 2010 07:02:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.688
X-Spam-Status: No, score=-7.688 tagged_above=-999 required=5 tests=[AWL=-0.039, BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dAm0rU8LADXt for <>; Mon, 14 Jun 2010 07:02:18 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 197703A68ED for <>; Mon, 14 Jun 2010 07:02:17 -0700 (PDT)
Received: from by (26) with ESMTP id o5EE2KAa015879 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 14 Jun 2010 16:02:20 +0200 (MEST)
From: Martin Rex <>
Message-Id: <>
To: (Michael D'Errico)
Date: Mon, 14 Jun 2010 16:02:18 +0200 (MEST)
In-Reply-To: <> from "Michael D'Errico" at Jun 11, 10 03:47:46 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Subject: Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Jun 2010 14:02:19 -0000

Michael D'Errico wrote:
> Martin Rex wrote:
> > 
> > SNI is _not_ a naming service.  It is not even a part of TLS itself.
> I have no idea what point you're trying to make here.  What gives you
> the idea that the server name extension is not a part of TLS?

> > RFC-5246 is pretty clear about this (last sentence of section 1):
> > 
> >    the decisions on [...] how to interpret the authentication certificates
> >    exchanged are left to the judgment of the designers and implementors
> >    of protocols that run on top of TLS. 

> It's apparent that you don't understand what SNI is for.  TLS absolutely
> needs to know which domain name a client is trying to connect to so that
> an appropriate certificate chain can be selected.

No, it doesn't.  It is a clear violation of the architecture if TLS
itself messes around with the names in certificates.

TLS does not need to know anything about DNS (server) names involved
in a communication.  That is, and has always been, clearly specified
by all versions of TLS to be entirely an application matter.

Even if may TLS implementations today provide helper functions to
applications for performing server endpoint identification, it is still
a matter of the application to make use of these function, or to
perform endpoint identification in a completely different fashion.