Bug 4906 - Document Java 7 ServerName TLS bug
Summary: Document Java 7 ServerName TLS bug
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Web Access (show other bugs)
Version: 4.1.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.2.0
Assignee: Peter Åstrand
Keywords: derfian_tester, prosaic
Depends on:
Reported: 2013-11-21 10:27 CET by Peter Åstrand
Modified: 2014-04-02 08:55 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Description Peter Åstrand cendio 2013-11-21 10:27:31 CET
Beginning with Java 1.7 / 7, a bug was introduced which causes TLS connections to fail, unless the server reports "ServerName". Typical traceback:

basic: Plugin2ClassLoader.addURL parent called for https://usdemo.thinlinc.com/thinlinc/ThinLincClientVerifier.jar
network: Connecting https://usdemo.thinlinc.com/thinlinc/ThinLincClientVerifier.jar with proxy=DIRECT
network: Connecting http://usdemo.thinlinc.com:443/ with proxy=DIRECT
javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
        at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

This is a well known problem:


Oracle refuses to fix this bug. Various workarounds are available, but it seems none of them works for applets:


So, I guess what remains is to document that you need to fix this on the server side. Typically, this means adding ServerName or ServerAlias entries to the Apache configuration.
Comment 1 Peter Åstrand cendio 2013-11-21 15:41:06 CET
Fixed in 28160.
Comment 2 Karl Mikaelsson cendio 2014-03-19 15:41:27 CET
Do we really need to recommend a wildcard ServerName/ServerAlias combination?

I'm not too keen on the phrasing of the fix for this bug either. It's not clear what 'all names in use' refer to, and it sounds like you need to use wildcards or things will break.

"Make sure that your web server has been configured with a ServerName or ServerAlias that matches the server part of the URL which the Java applet is fetched from." isn't perfect but more in line with how I think.
Comment 3 Peter Åstrand cendio 2014-03-19 15:47:41 CET
Discussed before and also now. No apparent problems with current wording.

Note You need to log in before you can comment on or make changes to this bug.