6 Oct
2020
6 Oct
'20
11:43 a.m.
Hi all-
I’ve been doing some experiments with SNI and have noticed a potential problem: If SSL.Context->find_cert_domain() doesn’t return a matching certificate, the server handshake doesn’t complete. This causes the client to hang indefinitely. SSL.Context->add_cert() supports (but does not require) a fallback certificate to be specified. Because the server does not control the value it receives, an improperly configured SSL Context could cause a denial of service.
I propose to change SSL.ServerConnection so that an alert message is sent if a certificate cannot be chosen. Does that seem like a reasonable approach? If I don’t hear any objections in the next day or so, I’ll add this to master and 8.0 (where the problem definitely exists).
Bill