Source: apache2 Version: 2.2.22-13+deb7u7 Severity: normal Tags: upstream fixed-upstream wheezy Apache #56241 [1] patched Apache 2.2.30 to confirm to the following RFC change: RFC 4366 If the server understood the client hello extension but does not recognize the server name, it SHOULD send an "unrecognized_name" alert (which MAY be fatal). RFC 6066 has changed this to If the server understood the ClientHello extension but does not recognize the server name, the server SHOULD take one of two actions: either abort the handshake by sending a fatal-level unrecognized_name(112) alert or continue the handshake. It is NOT RECOMMENDED to send a warning-level unrecognized_name(112) alert, because the client's behavior in response to warning-level alerts is unpredictable. Redhat backported the patch in RHBA-2016:0140-1. [2] AFAICS this patch has not been applied to Debian Wheezy and now, NSS's TLS 1.3 implementation treats `unrecognized_name` as fatal. [3] In light of these developments, would the Debian Apache Maintainers please consider applying the aforementioned patch to the wheezy-branch? [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=56241 [2] https://rhn.redhat.com/errata/RHBA-2016-0140.html [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1296862 --
Attachment:
signature.asc
Description: OpenPGP digital signature