tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Trailing dot in hostname causes TLS handshake to fail
Date Fri, 14 Nov 2014 01:51:57 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Peter,

On 11/13/14 3:40 PM, Peter Robbins wrote:
> Chris,
> 
> With SSLv3 enabled it succeeds. That makes sense since SNI is only
> TLS.
> 
> 
> I don't have a stack trace, since the exception is handled and
> handshake aborted, but here's the debug output:
> http://pastebin.com/ShqZQVC7.
> 
> Digging a little more into this I think this might be a Java issue.
> From what I can tell Tomcat is just calling getSession() on the
> SSLEngine that jsse sends back to it and Java is the one that's not
> honoring the jsse.enableSNIextension flag. Changing to a Java 7
> runtime fixes the issue (since jsse doesn't have server-side SNI
> support in JRE7), so that being the differentiator, I'll try my
> luck filing a bug with Oracle. >_<
> 
> I might play around and see if an APR setup demonstrates the same
> behavior.

I would guess that APR would be okay, since httpd can handle the
training dot (but the client will still complain that the certificate
was issued for "host" and not "host.").

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUZWA9AAoJEBzwKT+lPKRYW2wQAKs19n0KUNHjgnYgYDTsZTid
kSDDf4RxYmKCeoCHmm0Q9n6tzgQUERgt83QL8Mc5a9nN5YSyIEfLPmTLubCmARfk
iapOdlSWc6PK0Fx39W+D1vzn4N/HrEOCVGY1oG9+WcrfC2+csgyaWeMmU8Vobe+6
NC3N3xgho1omvyCKWY+CqOgvN+BU6TKz6/sr6WZhI/NNunqZUsIx50OWo8tVmnpg
bpkZpPge5ABPfZBAcUxfT+7OXRXKMXjBcyZ16WWPD/yl68o/91s49qHLaVxhqJbs
ZHb/46jsdvQo7XzbgVtiC+jAq7xSdlEurVC9JmYf92sLl8QrguVYeYeNregz89qC
DYvLcva/V6W4KOgxFEp+4isSrCLKYO/ud7yoREt7M80X020JZTv9Z4OiLWJ3MwC9
TVhHHa2sbctrxnO4486RdihOdhi13A3kQCEgaba/5H7uacF+p61lDtQHvgwsZZwa
z/BmCowiFcSFr6c1EEQsG9J7DRtVqHVaJxjdrJaE+4pSQeiB1yVUW7AzBJWLFWxQ
wF+LFl4dhBQ0kAFprJ3EGWQjjAgJYxtAzhX8APKQVcJw51CijHtQp4E8gP7dITAZ
OZbXcWLloXbaUIj/wVDDsZApyqx4R1Qfhw0PGlB54TamF0zwXzASHUnhCm0hU0Fd
Nvch354M15l86g1RdEbs
=ReS2
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message