RFC Errata

Errata Search

Source of RFC  
Summary Table Full Records

RFC 7525, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", May 2015

Note: This RFC has been obsoleted by RFC 9325

Note: This RFC has been updated by RFC 8996

Source of RFC: uta (sec)

Errata ID: 4360
Status: Rejected
Type: Technical
Publication Format(s) : TEXT

Reported By: Martin Rex
Date Reported: 2015-05-08
Rejected by: Barry Leiba
Date Rejected: 2015-05-28

Section 6.1 says:

6.1. Host Name Validation

   Application authors should take note that some TLS implementations do
   not validate host names.  If the TLS implementation they are using
   does not validate host names, authors might need to write their own
   validation code or consider using a different TLS implementation.

It should say:

6.1. Host Name Validation

   Application authors should take note that the TLS protocol explicitly
   defers checking of names and attributes of end-entity certificates
   to applications, see last sentence of RFC5246 , Section 1 (TLSv1.2).

   Some TLS implementations may offer a convenience function to perform
   a server endpoint identification according to RFC 2818, Section 3
   (HTTP over TLS).  For TLS implementations without such a convenience
   function, and for applications with different server identification
   schemes, application implementors may have to write the necessary
   code themselves.


TLSv1.0 (rfc2246), TLSv1.1 (rfc4346) and TLSv1.2 (rfc5246) are quite
clear in that the original text is misleading on the actual properties
provided by a TLS implementation itself:


how to interpret the authentication certificates
exchanged are left to the judgment of the designers and implementors
of protocols that run on top of TLS.
The text is not incorrect as it stands, and, while this suggested change would have been good input during document development, it's not an erratum.

Report New Errata

Advanced Search