Blame SOURCES/httpd-2.4.6-r1684462.patch

07ea28
--- a/modules/ssl/ssl_engine_kernel.c	2015/06/09 15:55:41	1684461
07ea28
+++ b/modules/ssl/ssl_engine_kernel.c	2015/06/09 16:09:28	1684462
07ea28
@@ -1940,7 +1940,7 @@
07ea28
 #ifndef OPENSSL_NO_TLSEXT
07ea28
 /*
07ea28
  * This callback function is executed when OpenSSL encounters an extended
07ea28
- * client hello with a server name indication extension ("SNI", cf. RFC 4366).
07ea28
+ * client hello with a server name indication extension ("SNI", cf. RFC 6066).
07ea28
  */
07ea28
 int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
07ea28
 {
07ea28
@@ -1962,7 +1962,21 @@
07ea28
                               "No matching SSL virtual host for servername "
07ea28
                               "%s found (using default/first virtual host)",
07ea28
                               servername);
07ea28
-                return SSL_TLSEXT_ERR_ALERT_WARNING;
07ea28
+                /*
07ea28
+                 * RFC 6066 section 3 says "It is NOT RECOMMENDED to send
07ea28
+                 * a warning-level unrecognized_name(112) alert, because
07ea28
+                 * the client's behavior in response to warning-level alerts
07ea28
+                 * is unpredictable."
07ea28
+                 *
07ea28
+                 * To maintain backwards compatibility in mod_ssl, we
07ea28
+                 * no longer send any alert (neither warning- nor fatal-level),
07ea28
+                 * i.e. we take the second action suggested in RFC 6066:
07ea28
+                 * "If the server understood the ClientHello extension but
07ea28
+                 * does not recognize the server name, the server SHOULD take
07ea28
+                 * one of two actions: either abort the handshake by sending
07ea28
+                 * a fatal-level unrecognized_name(112) alert or continue
07ea28
+                 * the handshake."
07ea28
+                 */
07ea28
             }
07ea28
         }
07ea28
     }