Source: apache2
Version: 2.2.22-13+deb7u7
Severity: normal
Tags: upstream fixed-upstream wheezy
Apache #56241 [1] patched Apache 2.2.30 to confirm to the following RFC
change:
RFC 4366
If the server understood the client hello extension but does not
recognize the server name, it SHOULD send an "unrecognized_name"
alert (which MAY be fatal).
RFC 6066 has changed this to
If the server understood the ClientHello extension but
does not recognize the server name, the server SHOULD take one of two
actions: either abort the handshake by sending a fatal-level
unrecognized_name(112) alert or continue the handshake. It is NOT
RECOMMENDED to send a warning-level unrecognized_name(112) alert,
because the client's behavior in response to warning-level alerts is
unpredictable.
Redhat backported the patch in RHBA-2016:0140-1. [2]
AFAICS this patch has not been applied to Debian Wheezy and now, NSS's
TLS 1.3 implementation treats `unrecognized_name` as fatal. [3]
In light of these developments, would the Debian Apache Maintainers
please consider applying the aforementioned patch to the wheezy-branch?
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=56241
[2] https://rhn.redhat.com/errata/RHBA-2016-0140.html
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1296862
--
Attachment:
signature.asc
Description: OpenPGP digital signature