Bugzilla – Bug 4906
Document Java 7 ServerName TLS bug
Last modified: 2014-04-02 08:55:01
You need to
before you can comment on or make changes to this bug.
Beginning with Java 1.7 / 7, a bug was introduced which causes TLS connections
to fail, unless the server reports "ServerName". Typical traceback:
basic: Plugin2ClassLoader.addURL parent called for
network: Connecting http://usdemo.thinlinc.com:443/ with proxy=DIRECT
javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
This is a well known problem:
Oracle refuses to fix this bug. Various workarounds are available, but it seems
none of them works for applets:
So, I guess what remains is to document that you need to fix this on the server
side. Typically, this means adding ServerName or ServerAlias entries to the
Fixed in 28160.
Do we really need to recommend a wildcard ServerName/ServerAlias combination?
I'm not too keen on the phrasing of the fix for this bug either. It's not clear
what 'all names in use' refer to, and it sounds like you need to use wildcards
or things will break.
"Make sure that your web server has been configured with a ServerName or
ServerAlias that matches the server part of the URL which the Java applet is
fetched from." isn't perfect but more in line with how I think.
Discussed before and also now. No apparent problems with current wording.