BUG/MEDIUM: ssl: switchctx should not return SSL_TLSEXT_ERR_ALERT_WARNING

Extract from RFC 6066:
"If the server understood the ClientHello extension but does not recognize
the server name, the server SHOULD take one of two actions: either abort the
handshake by sending a fatal-level unrecognized_name(112) alert or continue the
handshake. It is NOT RECOMMENDED to send a warning-level unrecognized_name(112)
alert, because the client's behavior in response to warning-level alerts is
unpredictable. If there is a mismatch between the server name used by the
client application and the server name of the credential chosen by the server,
this mismatch will become apparent when the client application performs the
server endpoint identification, at which point the client application will have
to decide whether to proceed with the communication."

Thanks Roberto Guimaraes for the bug repport, spotted with openssl-1.1.0.
This fix must be backported.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1a9c185bb6dc1b5f5b772e52a59990b358e9f358..c626d62a28fd52d9e2547cbd02643c75e0898273 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1625,7 +1625,6 @@ static int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx)
        }
        if (!s->strict_sni)
                /* no certificate match, is the default_ctx */
-               /* the client will alert (was SSL_TLSEXT_ERR_ALERT_WARNING, ignored by Boring) */
                return 1;
  abort:
        /* abort handshake (was SSL_TLSEXT_ERR_ALERT_FATAL) */
@@ -1707,7 +1706,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
 #endif
                return (s->strict_sni ?
                        SSL_TLSEXT_ERR_ALERT_FATAL :
-                       SSL_TLSEXT_ERR_ALERT_WARNING);
+                       SSL_TLSEXT_ERR_OK);
        }
 
        /* switch ctx */