Beginning with Java 1.7 / 7, a bug was introduced which causes TLS connections to fail, unless the server reports "ServerName". Typical traceback: basic: Plugin2ClassLoader.addURL parent called for https://usdemo.thinlinc.com/thinlinc/ThinLincClientVerifier.jar network: Connecting https://usdemo.thinlinc.com/thinlinc/ThinLincClientVerifier.jar with proxy=DIRECT network: Connecting http://usdemo.thinlinc.com:443/ with proxy=DIRECT javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source) at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ... This is a well known problem: http://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade-to-java-1-7-0 Oracle refuses to fix this bug. Various workarounds are available, but it seems none of them works for applets: https://forums.oracle.com/message/10332444 https://forums.oracle.com/message/10332444 So, I guess what remains is to document that you need to fix this on the server side. Typically, this means adding ServerName or ServerAlias entries to the Apache configuration.
Fixed in 28160.
Do we really need to recommend a wildcard ServerName/ServerAlias combination? I'm not too keen on the phrasing of the fix for this bug either. It's not clear what 'all names in use' refer to, and it sounds like you need to use wildcards or things will break. "Make sure that your web server has been configured with a ServerName or ServerAlias that matches the server part of the URL which the Java applet is fetched from." isn't perfect but more in line with how I think.
Discussed before and also now. No apparent problems with current wording.
