Bug 4906 - Document Java 7 ServerName TLS bug
: Document Java 7 ServerName TLS bug
: ThinLinc
Web Access
: 4.1.0
: PC Unknown
: P2 Normal
: 4.2.0
Assigned To:
  Show dependency treegraph
Reported: 2013-11-21 10:27 by
Modified: 2014-04-02 08:55 (History)
Acceptance Criteria:



You need to log in before you can comment on or make changes to this bug.

Description From cendio 2013-11-21 10:27:31
Beginning with Java 1.7 / 7, a bug was introduced which causes TLS connections
to fail, unless the server reports "ServerName". Typical traceback:

basic: Plugin2ClassLoader.addURL parent called for
network: Connecting
https://usdemo.thinlinc.com/thinlinc/ThinLincClientVerifier.jar with
network: Connecting http://usdemo.thinlinc.com:443/ with proxy=DIRECT
javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
        at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

This is a well known problem:


Oracle refuses to fix this bug. Various workarounds are available, but it seems
none of them works for applets:


So, I guess what remains is to document that you need to fix this on the server
side. Typically, this means adding ServerName or ServerAlias entries to the
Apache configuration.
------- Comment #1 From cendio 2013-11-21 15:41:06 -------
Fixed in 28160.
------- Comment #2 From cendio 2014-03-19 15:41:27 -------
Do we really need to recommend a wildcard ServerName/ServerAlias combination?

I'm not too keen on the phrasing of the fix for this bug either. It's not clear
what 'all names in use' refer to, and it sounds like you need to use wildcards
or things will break.

"Make sure that your web server has been configured with a ServerName or
ServerAlias that matches the server part of the URL which the Java applet is
fetched from." isn't perfect but more in line with how I think.
------- Comment #3 From cendio 2014-03-19 15:47:41 -------
Discussed before and also now. No apparent problems with current wording.