TLS Server Name Indication Extension and Unrecognized_name

Heavy Pond, Jianfengling National Forest Park, Ledong, Hainan, China

It's getting hot that some TLS/HTTPS server failed with "unrecognized_name". For example, the Adobe AIR 3 Code Signing Certificate Problem, the ADT handshake alert, and the jarsigner issue with timestamp.geotrust.com, etc. This entry will discussion some background of the "unrecognized_name" alert, and the TLS Server Name Indication (SNI) extension.

Background


"Unrecognized_name" is an error alert, define by RFC4366.  In section 4 of RFC4366: 
- "unrecognized_name": this alert is sent by servers that receive a server_name extension request, but do not recognize the server name.  This message MAY be fatal.
And in section 3.1 of of RFC4366: 
If the server understood the client hello extension but does not recognize the server name, it SHOULD send an "unrecognized_name" alert (which MAY be fatal).

From above sections, we see that "unrecognized_name" is related to "the server name" or "server_name" extension. What is the "server name"? In section 3.1 of RFC4366: 
3.1. Server Name Indication 

TLS does not provide a mechanism for a client to tell a server the name of the server it is contacting.  It may be desirable for clients to provide this information to facilitate secure connections to servers that host multiple 'virtual' servers at a single underlying network address.

In order to provide the server name, clients MAY include an extension of type "server_name" in the (extended) client hello.

Let's Look Into a Case


There is a lot of discussion about the timestamp service from timestamp.EXAMPLE.com. The service is hosted as "https://timestamp.EXAMPLE.com/tsa". Let's look at the scenarios of the access:


  1. Client want to negotiate a TLS connection with timestamp.EXAMPLE.com. By default, the server name indication extension will be included in the client hello. The server name is "timestamp.EXAMPLE.com".  It is expected that:
    • The server does not understand the server name indication extension. No problem, the server will ignore the extension, will continue the negotiation.  No impact on the TLS negotiation/handshaking.
    • The server understands the server name indication extension, but does not recognize the server  name. In this case, that's to say, the server does not think that the server name in the request, "timestamp.EXAMPLE.com", is its supported/recognized server name.
    • The server is able to recognize the server name in the request. The handshaking will go on.

  2.  The server response with a "unexpected_message" fatal alert. As means that the server understand the server name indication extension, but it does not recognize the server name. It looks a little weird in this case in that the server is "timestamp.EXAMPLE.com", but it does not admit that it is "timestamp.EXAMPLE.com".
  3. The client have to terminate the negotiation because the server has denied to continue.

 It is strange, is it? The server, "timestamp.EXAMPLE.com", said it is not ""timestamp.EXAMPLE.com".

Know nothing about the details in TSA server, timestamp.EXAMPLE.com, it looks more like a configuration problem in the server side.

Workaround


It would be nice if the timestamp.EXAMPLE.com server would like to correct the behaviors in server side.  But before the correction, many applications may need to work day to day. As a workaround, the client can disable the server name indication in client hello.

Java platform starts to support server name indication extension from JDK 7.  However, considering the compatibility issues, a system property, "jsse.enableSNIExtension", is defined to disable the extension in TLS handshaking: 
jsse.enableSNIExtension system property.

Server Name Indication (SNI) is a TLS extension, defined in RFC4366.It enables TLS connections to virtual servers, in which multiple servers for different network names are hosted at a single underlying network address.

Some very old SSL/TLS vendors may not be able handle SSL/TLS extensions. In this case, set this property to false to disable the SNI extension.

OK, let looks at an example in jarsigner in JDK 7.  The 2nd one uses the system property, jsse.enableSNIExtension, to disable the server name indication extension in client. 
$ jarsigner -keystore myKeyStore -tsa https://timestamp.EXAMPLE.com/tsa \
      -signedjar signedjar.jar toBeSigned.jar myKeyAliasInKeyStore

jarsigner: unable to sign jar: javax.net.ssl.SSLProtocolException: \
      handshake alert:  unrecognized_name

$ jarsigner -J-Djsse.enableSNIExtension=false \
      -keystore myKeyStore -tsa https://timestamp.EXAMPLE.com/tsa \
      -signedjar signedjar.jar toBeSigned.jar myKeyAliasInKeyStore

Hope it helps!



More blog entries about TLS Server Name Indication (SNI) Extension:
JEP 114: TLS SNI Extension - SunJSSE Behavior Changes
JEP 114: TLS SNI Extension - SunJSSE Behavior Changes (Continue)
JEP 114: TLS SNI Extension - Typical User Cases
JEP 114: TLS SNI Extension - Virtual Servers Dispatcher

Popular posts from this blog

JSSE Oracle Provider Preference of TLS Cipher Suites

Perference Order Value Description 1 0xC0,0x24 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 2 0xC0,0x28 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 3 0x00,0x3D TLS_RSA_WITH_AES_256_CBC_SHA256 4 0xC0,0x26 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 5 0xC0,0x2A TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 6 0x00,0x6B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 7 0x00,0x6A TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 8 0xC0,0x0A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 9 0xC0,0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 10 0x00,0x35 TLS_RSA_WITH_AES_256_CBC_SHA 11 0xC0,0x05 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 12 0xC0,0x0F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 13 0x00,0x39 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 14 0x00,0x38 TLS_DHE_DSS_WITH_AES_256_CBC_SHA 15 0xC0,0x23 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 16 0xC0,0x27 TLS_ECDHE_RSA_WITH_AES_1
Read more

JSSE Oracle Provider Default Disabled TLS Cipher Suites

The following TLS cipher suites are supported by Oracle provider, SunJSSE. These cipher suites are disabled by default because of one of the following reasons: obsoleted weak cipher suites anonymous cipher suites no encryption cipher suites (null cipher) Kerberos cipher suites Cipher suites for Kerberos (KRB5) need additional KRB5 service configuration, and these cipher suites are not common in practice. You are NOT supposed to use these cipher suites unless you really know what you're doing from a standpoint. Perference Value Description 1 0x00,0x6D TLS_DH_anon_WITH_AES_256_CBC_SHA256 2 0xC0,0x19 TLS_ECDH_anon_WITH_AES_256_CBC_SHA 3 0x00,0x3A TLS_DH_anon_WITH_AES_256_CBC_SHA 4 0x00,0x6C TLS_DH_anon_WITH_AES_128_CBC_SHA256 5 0xC0,0x18 TLS_ECDH_anon_WITH_AES_128_CBC_SHA 6 0x00,0x34 TLS_DH_anon_WITH_AES_128_CBC_SHA 7 0xC0,0x16 TLS_ECDH_anon_WITH_RC4_128_SHA 8 0x00,0
Read more