Apache SNI config to send handshake alert: unrecognized_name

Question

I am trying to achieve what some years ago was a problem due to miss configured servers that caused

"handshake alert: unrecognized_name"

when a SNI enabled client ( for Java 1.7 or bigger clients) would send during the handshake the

Extension server_name, server_name: [type=host_name (0), value=hostname]

for example this question was how to avoid this :

https://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade-to-java-1-7-0.

My apache version is 2.4.33, on Ubuntu 16.04. and the config file that I use looks like this :

<IfModule ssl_module>
Listen 8095
</IfModule>

<IfModule mod_gnutls.c>
Listen 8095
</IfModule>

ServerName localhost

<IfModule mod_ssl.c>
        <VirtualHost _default_:8095>
                        ServerName value.that.does.not.match.the.cn.in.certificate
                        ServerAlias value.that.does.not.match.the.cn.in.certificate
                        DocumentRoot /var/www/html

                        SSLEngine on
                        SSLCertificateFile /path_to_certificates/selfsigned.cert
                        SSLCertificateKeyFile /path_to_certificates/selfsigned.key
                        SSLVerifyClient none
                        SSLVerifyDepth 10
        </VirtualHost>
</IfModule>

I have done some research and I used the following command to check that SNI is enabled for the hostname that I expose through apache :

openssl s_client -servername hostanametocheck -tlsextdebug -connect hostanametocheck:8095 2>/dev/null | grep "server name"

for which the result is :

TLS server extension "server name" (id=0), len=0

which from what I've read it is an indicator that apache sends this extension during the handshake which in case of Java clients > 1.7 would end up as an exception during the handshake.

I would expect that my Java client (1.8) would receive that alert and the handshake will fail, but as I landed here it does not. I already spend a quite good amount of time trying to figure out this but looks like it is beyond my networking and linux knowledge.

Btw, I am running the apache on my dev machine, therefore the 8095 port instead of 443. I mapped the hostname to localhost. SNI is enabled on the client side as I can see in the handshake logs that the extension is sent

Extension server_name, server_name: [type=host_name (0), value=hostname.that.does.not.match.cn.in.certificate.com]

Your help would be really appreciated!

I'm a bit confused. Are you trying to FIX the error, or CAUSE the error? — Michael Hampton, Jul 25 '18 at 14:45

score 0 · Accepted Answer · answered Jul 26 '18 at 07:35

I had successfully caused the error , with Apache 2.2.22 ( but some old version, unpatched ) as it looks like they started removing that alert from being sent starting with 2.4.1 and some versions back. More on the following link.

https://bz.apache.org/bugzilla/show_bug.cgi?id=56241

Apache SNI config to send handshake alert: unrecognized_name

1 Answers1