SSL_ERROR_UNRECOGNIZED_NAME_ALERT is ambiguous

NEW
Assigned to

Status

P2
major
8 years ago
8 years ago

People

(Reporter: nelson, Assigned: alvolkov.bgs)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

For all the SSL/TLS "alert" records, libSSL needs TWO error codes:
- one error code whose name ends in _ALERT, and 
- another error code with the same name, but no trailing _ALERT

The idea is that the system that detects the error and sends the alert 
locally reports the error code without the _ALERT ending.  The peer 
system that receives the alert record locally reports the error code 
whose name ends in _ALERT.  

This way, we can tell by looking at the error code whether the log is telling
us that the local system detected the error, or the remote system detected 
the error and reported it to us with an alert record.  

The immediate problem is that libSSL is now using the error code
SSL_ERROR_UNRECOGNIZED_NAME_ALERT for both meanings.  There should be, 
but is NO error code named SSL_ERROR_UNRECOGNIZED_NAME, and NSS's SSL 
server code should report THAT error code when it receives a client hello
with an SNI bearing an unrecognized name.  

This is a MAJOR issue for products that act as both client and server.  
If I was still at Sun, I'd make this P1.
You need to log in before you can comment on or make changes to this bug.