commit 6752efdeafeeda6156fb1ebe30db0429cc71adb6
author David Benjamin <davidben@google.com> Mon Jan 02 08:56:47 2017 -0500
committer Adam Langley <agl@google.com> Thu Jan 19 23:03:11 2017 +0000
tree 3d2fc3a56cd618195f5a91b28d046495acf67e9a
parent a8c8b387f1987b4fd8d79f634be9e0a413c75ca1

Never send SNI warning alerts.

TLS 1.3 forbids warning alerts, and sending these is a bad idea. Per RFC
6066:

   If the server understood the ClientHello extension but
   does not recognize the server name, the server SHOULD take one of two
   actions: either abort the handshake by sending a fatal-level
   unrecognized_name(112) alert or continue the handshake.  It is NOT
   RECOMMENDED to send a warning-level unrecognized_name(112) alert,
   because the client's behavior in response to warning-level alerts is
   unpredictable.

The motivation is to cut down on the number of places where we send
non-closing alerts. We can't remove them yet (SSL 3.0 and TLS 1.3 draft
18 need to go), but eventually this can be a simplifying assumption.
Already this means DTLS never sends warning alerts, which is good
because DTLS can't retransmit them.

Change-Id: I577a1eb9c23e66d28235c0fbe913f00965e19486
Reviewed-on: https://boringssl-review.googlesource.com/13221
Reviewed-by: Adam Langley <agl@google.com>

include/openssl/ssl.h

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 70646b0..1f3599d 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2359,8 +2359,9 @@
  *
  * If the callback returns |SSL_TLSEXT_ERR_NOACK|, the server_name extension is
  * not acknowledged in the ServerHello. If the return value is
- * |SSL_TLSEXT_ERR_ALERT_FATAL| or |SSL_TLSEXT_ERR_ALERT_WARNING| then
- * |*out_alert| must be set to the alert value to send. */
+ * |SSL_TLSEXT_ERR_ALERT_FATAL|, then |*out_alert| is the alert to send,
+ * defaulting to |SSL_AD_UNRECOGNIZED_NAME|. |SSL_TLSEXT_ERR_ALERT_WARNING| is
+ * ignored and treated as |SSL_TLSEXT_ERR_OK|. */
 OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback(
     SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg));
 

ssl/t1_lib.c

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index a714759..b069e70 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3122,10 +3122,6 @@
       ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
       return -1;
 
-    case SSL_TLSEXT_ERR_ALERT_WARNING:
-      ssl3_send_alert(ssl, SSL3_AL_WARNING, al);
-      return 1;
-
     case SSL_TLSEXT_ERR_NOACK:
       hs->should_ack_sni = 0;
       return 1;