Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert

Michael D'Errico <> Sat, 05 June 2010 03:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9A10E3A6870 for <>; Fri, 4 Jun 2010 20:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.322
X-Spam-Status: No, score=-1.322 tagged_above=-999 required=5 tests=[AWL=1.277, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AXuCU6gRbagm for <>; Fri, 4 Jun 2010 20:31:17 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 68D433A67B1 for <>; Fri, 4 Jun 2010 20:31:15 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id 362DAB90C2; Fri, 4 Jun 2010 23:31:01 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=1yCV6XevCd+y 2p1rX4I1QzCg/5I=; b=gdpAPgqG6b2JFZqXNOFjPWOL855wV5IqLc9zawK+ss7E r9zM/IPaELd+rK9MC437FaGtxiTisJ2Jyqwz0Y481RyAgLAXSjdBbJcbm91ZCSqC yw1ya8MksKbUARf6TqC/WQklR2xPJ4h2+RBFdjFBpJj2FypnXvlbUt9FQoXrasc=
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=O/FO6M LCenLKzWDsaA6edtgI81Xi8C0Jjwi+CKVzjjEw/WSVuw5nNOIKE8Sz2m3uRjQlGg pw5sV0a9TSbf/CJ31LQ1g3ClWeQb1ZLQNKeBQBtHi/vZUVVK67OO4THYX1ZU7cRY 4U2A0138YGPgRMI1EPJrB1M3mBvRlQluF/fa8=
Received: from a-pb-sasl-quonix. (unknown []) by (Postfix) with ESMTP id DF6AEB90C0; Fri, 4 Jun 2010 23:30:57 -0400 (EDT)
Received: from administrators-macbook-pro.local (unknown []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 9DFD5B90BC; Fri, 4 Jun 2010 23:30:53 -0400 (EDT)
Message-ID: <>
Date: Fri, 04 Jun 2010 20:30:52 -0700
From: Michael D'Errico <>
User-Agent: Thunderbird (Macintosh/20090812)
MIME-Version: 1.0
To: "Joseph Salowey (jsalowey)" <>
References: <> from "Michael D'Errico" at Jun 4, 10 09:17:59 am <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: C1679CC8-7052-11DF-A356-6730EE7EF46B-38729857!
Subject: Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 05 Jun 2010 03:31:18 -0000

Joseph Salowey (jsalowey) wrote:
> (1) "The ServerNameList MUST NOT contain more than one name of the same
> name_type. If the server understood the client hello extension, but does
> not recognize the server name, and it refuses to continue it MUST send a
> fatal unrecognized_name(112) alert and terminate the handshake.  If the
> server decides to continue the  handshake, sending a
> unrecognized_name(112) alert with a warning level is NOT RECOMMENDED,
> since the  client behavior is unpredictable.  Some clients respond by
> aborting the handshake while others allow it  to continue to certificate
> validation, which may fail as a result of a name mismatch. "

I prefer the above text, but would modify it slightly:

     If the server decides to continue the handshake, sending an
     unrecognized_name(112) alert with a warning level is NOT
     RECOMMENDED at this time due to legacy client software that
     escalates it to a fatal error.  New software is encouraged
     to treat warning alerts as informational, and not to abort
     an otherwise legitimate handshake.