Kyle Nekritz wrote: > >> This list is already missing the warning-level "unrecognized_name" alert, >> and such a change would imply that all new/unrecognized alerts are going >> to be treated as fatal forever (i.e. that no new warning-level alerts >> can ever be defined). > > That alert is currently defined as a fatal alert (see section 6.2 in the > current draft). RFC 6066 also states "It is NOT RECOMMENDED to send a > warning-level unrecognized_name(112) alert, because the client's behavior > in response to warning-level alerts is unpredictable.", which I think > illustrates the problem. Allowing new non-fatal alerts to be added later > would require that existing clients ignore unknown warning alerts, > which I think is somewhat dangerous.
It seems that rfc6066 is not clear enough in explaining the issue about the situation with the two WELL-DEFINED (but poorly implemented) variants of the TLS alerts (1) unrecognized_name(112) level WARNING (2) unrecognized_name(112) level FATAL See the *ORIGINAL* specification which created *BOTH* of these alert variants: https://tools.ietf.org/html/rfc3546#page-10 If the server understood the client hello extension but does not recognize the server name, it SHOULD send an "unrecognized_name" alert (which MAY be fatal). -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
