Server Name Indentification extension is compared case-sensitively Steps to reproduce: openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -subj /CN=localhost -nodes -batch openssl req -x509 -newkey rsa:2048 -keyout server2.key -out server2.crt -subj /CN=localhost2 -nodes -batch
openssl s_server -servername localhost -servername_fatal -key2 server2.key -cert2 server2.crt -key server.key -cert server.crt openssl s_client -servername LOCALHOST -connect localhost:4433 -CAfile /tmp/server.crt s_client outout: CONNECTED(00000003) 140055110948512:error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 unrecognized name:s23_clnt.c:787: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 395 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated --- s_server output: Setting secondary ctx parameters Using default temp DH parameters ACCEPT Hostname in TLS extension: "LOCALHOST" ERROR 140626628683424:error:1412E0E2:SSL routines:ssl_parse_clienthello_tlsext:clienthello tlsext:t1_lib.c:2553: 140626628683424:error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext:s3_srvr.c:1223: shutting down SSL CONNECTION CLOSED ACCEPT Additional info: RFC 3546, section 3.1: If the server only needs to match the HostName against names containing exclusively ASCII characters, it MUST compare ASCII names case- insensitively. RFC 6066, section 3: "HostName" contains the fully qualified DNS hostname of the server, as understood by the client. The hostname is represented as a byte string using ASCII encoding without a trailing dot. This allows the support of internationalized domain names through the use of A-labels defined in [RFC5890]. DNS hostnames are case-insensitive. https://bugzilla.redhat.com/show_bug.cgi?id=1081163 -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: [email protected] Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
