Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert

Michael D'Errico <> Mon, 14 June 2010 15:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 802DF3A6915 for <>; Mon, 14 Jun 2010 08:36:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.563
X-Spam-Status: No, score=-0.563 tagged_above=-999 required=5 tests=[AWL=-0.378, BAYES_40=-0.185]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id X2jJyVxQwWHW for <>; Mon, 14 Jun 2010 08:36:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 794413A69B5 for <>; Mon, 14 Jun 2010 08:36:42 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id 5DDC3BCB4B; Mon, 14 Jun 2010 11:36:45 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=Cvbk0HMcdvrX Bry5mWpMQ51Wa6g=; b=tXq4eeJE6Zc+KELzEy3CeWpzb5vIxU4jvJnZyG/S09Mb kNWrbZYrMtmNUP7LhRHed9G0V7Yy7SObVNMrgCr5pF8WYj0VBC0Nm8fC23t0Pesl DKRUctsE7VYKdWEZuQIMq3qLPzUQfWxkFEzeoRr2GMYIxtkGBcMcBamhDZRL/EA=
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=WV/X4c tuidJJMuU1a+b+Lx90l8ELO9QMD0xFnRwL/uy5DSHR+BeagT8diSD/TsM8jj2WnK kZpnZijhUnkP3Eiaep0h6RQJt5Gw30+wWh3VqXDUWyXEKZYGnm3B0t8OtO8cGN72 Y6L1O17f3tAAuqLwW14zDv0QsatAxyUovc9gY=
Received: from a-pb-sasl-quonix. (unknown []) by (Postfix) with ESMTP id 4724ABCB4A; Mon, 14 Jun 2010 11:36:44 -0400 (EDT)
Received: from administrators-macbook-pro.local (unknown []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id CFB8ABCB43; Mon, 14 Jun 2010 11:36:37 -0400 (EDT)
Message-ID: <>
Date: Mon, 14 Jun 2010 08:36:36 -0700
From: Michael D'Errico <>
User-Agent: Thunderbird (Macintosh/20090812)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: A2C80B66-77CA-11DF-B567-9056EE7EF46B-38729857!
Subject: Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Jun 2010 15:36:43 -0000

Martin Rex wrote:
> TLS does not need to know anything about DNS (server) names involved
> in a communication.  That is, and has always been, clearly specified
> by all versions of TLS to be entirely an application matter.

There is never a clear line you can draw between one layer and another,
such that no TLS layer will ever reach higher toward an application, or
that no application will reach lower toward the TLS layer.

In my TLS code, there is a simple configuration scheme that applications
use to tell the TLS layer which domain names map to which certificate
chains.  Once set up, the application doesn't need to do anything more
since the TLS code then handles certificate selection based on the SNI,
version, cipher suite, supported signature algorithms, and key usage.
It's quite complicated.

You might condemn this as some sort of layering violation, but it really
does make life easier for application writers.  I wrote the code once
instead of requiring every application writer to have to reinvent it.