Showing posts from December, 2013

TLS Server Name Indication Extension and Unrecognized_name

It's getting hot that some TLS/HTTPS server failed with "unrecognized_name". For example, the Adobe AIR 3 Code Signing Certificate Problem, the ADT handshake alert, and the jarsigner issue with, etc. This entry will discussion some background of the "unrecognized_name" alert, and the TLS Server Name Indication (SNI) extension.

"Unrecognized_name" is an error alert, define by RFC4366.  In section 4 of RFC4366:
- "unrecognized_name": this alert is sent by servers that receive a server_name extension request, but do not recognize the server name. This message MAY be fatal. And in section 3.1 of of RFC4366:
If the server understood the client hello extension but does not recognize the server name, it SHOULD send an "unrecognized_name" alert (which MAY be fatal).
From above sections, we see that "unrecognized_name" is related to "the server name" or "server_name" extensi…