From bc8858f4bc68889a8668a9665e1b7352f1ae5fff Mon Sep 17 00:00:00 2001 From: lloyd Date: Sat, 9 Jun 2012 07:18:04 +0000 Subject: Avoid a spurious unrecognized_name alert when a server is running in pure anon mode and the client sent a SNI extension. --- src/tls/tls_server.cpp | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index e412c97ab..fcde7a8ce 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -430,8 +430,17 @@ void Server::process_handshake_msg(Handshake_Type type, if(m_hostname != "" && cert_chains.empty()) { - send_alert(Alert(Alert::UNRECOGNIZED_NAME)); cert_chains = get_server_certs("", creds); + + /* + * Only send the unrecognized_name alert if we couldn't + * find any certs for the requested name but did find at + * least one cert to use in general. That avoids sending an + * unrecognized_name when a server is configured for purely + * anonymous operation. + */ + if(!cert_chains.empty()) + send_alert(Alert(Alert::UNRECOGNIZED_NAME)); } m_state->server_hello = new Server_Hello( -- cgit v1.2.3