www.cendio.com
Bug 4906 - Document Java 7 ServerName TLS bug
: Document Java 7 ServerName TLS bug
Status: CLOSED FIXED
: ThinLinc
Web Access
: 4.1.0
: PC Unknown
: P2 Normal
: 4.2.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2013-11-21 10:27 by
Modified: 2014-04-02 08:55 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2013-11-21 10:27:31
Beginning with Java 1.7 / 7, a bug was introduced which causes TLS connections
to fail, unless the server reports "ServerName". Typical traceback:

basic: Plugin2ClassLoader.addURL parent called for
https://usdemo.thinlinc.com/thinlinc/ThinLincClientVerifier.jar
network: Connecting
https://usdemo.thinlinc.com/thinlinc/ThinLincClientVerifier.jar with
proxy=DIRECT
network: Connecting http://usdemo.thinlinc.com:443/ with proxy=DIRECT
javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
        at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
...

This is a well known problem:

http://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade-to-java-1-7-0

Oracle refuses to fix this bug. Various workarounds are available, but it seems
none of them works for applets:

https://forums.oracle.com/message/10332444
https://forums.oracle.com/message/10332444

So, I guess what remains is to document that you need to fix this on the server
side. Typically, this means adding ServerName or ServerAlias entries to the
Apache configuration.
------- Comment #1 From cendio 2013-11-21 15:41:06 -------
Fixed in 28160.
------- Comment #2 From cendio 2014-03-19 15:41:27 -------
Do we really need to recommend a wildcard ServerName/ServerAlias combination?

I'm not too keen on the phrasing of the fix for this bug either. It's not clear
what 'all names in use' refer to, and it sounds like you need to use wildcards
or things will break.

"Make sure that your web server has been configured with a ServerName or
ServerAlias that matches the server part of the URL which the Java applet is
fetched from." isn't perfect but more in line with how I think.
------- Comment #3 From cendio 2014-03-19 15:47:41 -------
Discussed before and also now. No apparent problems with current wording.