3.4 The TLS alert protocol
The alert protocol is there to allow signals to be sent between peers.
These signals are mostly used to inform the peer about the cause of a
protocol failure. Some of these signals are used internally by the
protocol and the application protocol does not have to cope with them
(e.g. GNUTLS_A_CLOSE_NOTIFY), and others refer to the
application protocol solely (e.g. GNUTLS_A_USER_CANCELLED). An
alert signal includes a level indication which may be either fatal or
warning. Fatal alerts always terminate the current connection, and
prevent future re-negotiations using the current session ID. All alert
messages are summarized in tab:alerts.
The alert messages are protected by the record protocol, thus the
information that is included does not leak. You must take extreme care
for the alert information not to leak to a possible attacker, via
public log files etc. The available functions to control the alert
protocol are shown below.
Available alert messages:
|
| GNUTLS_A_CLOSE_NOTIFY | 0 | Close notify |
| GNUTLS_A_UNEXPECTED_MESSAGE | 10 | Unexpected message |
| GNUTLS_A_BAD_RECORD_MAC | 20 | Bad record MAC |
| GNUTLS_A_DECRYPTION_FAILED | 21 | Decryption failed |
| GNUTLS_A_RECORD_OVERFLOW | 22 | Record overflow |
| GNUTLS_A_DECOMPRESSION_FAILURE | 30 | Decompression failed |
| GNUTLS_A_HANDSHAKE_FAILURE | 40 | Handshake failed |
| GNUTLS_A_SSL3_NO_CERTIFICATE | 41 | No certificate (SSL 3.0) |
| GNUTLS_A_BAD_CERTIFICATE | 42 | Certificate is bad |
| GNUTLS_A_UNSUPPORTED_CERTIFICATE | 43 | Certificate is not supported |
| GNUTLS_A_CERTIFICATE_REVOKED | 44 | Certificate was revoked |
| GNUTLS_A_CERTIFICATE_EXPIRED | 45 | Certificate is expired |
| GNUTLS_A_CERTIFICATE_UNKNOWN | 46 | Unknown certificate |
| GNUTLS_A_ILLEGAL_PARAMETER | 47 | Illegal parameter |
| GNUTLS_A_UNKNOWN_CA | 48 | CA is unknown |
| GNUTLS_A_ACCESS_DENIED | 49 | Access was denied |
| GNUTLS_A_DECODE_ERROR | 50 | Decode error |
| GNUTLS_A_DECRYPT_ERROR | 51 | Decrypt error |
| GNUTLS_A_EXPORT_RESTRICTION | 60 | Export restriction |
| GNUTLS_A_PROTOCOL_VERSION | 70 | Error in protocol version |
| GNUTLS_A_INSUFFICIENT_SECURITY | 71 | Insufficient security |
| GNUTLS_A_INTERNAL_ERROR | 80 | Internal error |
| GNUTLS_A_USER_CANCELED | 90 | User canceled |
| GNUTLS_A_NO_RENEGOTIATION | 100 | No renegotiation is allowed |
| GNUTLS_A_UNSUPPORTED_EXTENSION | 110 | An unsupported extension was sent |
| GNUTLS_A_CERTIFICATE_UNOBTAINABLE | 111 | Could not retrieve the specified certificate |
| GNUTLS_A_UNRECOGNIZED_NAME | 112 | The server name sent was not recognized |
| GNUTLS_A_UNKNOWN_PSK_IDENTITY | 115 | The SRP/PSK username is missing or not known |
This document was generated on January 4, 2012 using texi2html 5.0.
