Re: How to handle TLS alerts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 26/10/2022 18:33, pepone.onrez wrote:

I'm trying to understand how to handle TLS alerts, I have set up a callback with

SSL_CTX_set_info_callback(_ctx, ssl_info_callback);

And I can see alerts sent by the peer, does the application need to call SSL_shutdown upon receiving
a fatal alert, or is this done automatically by the OpenSSL library?

A fatal alert indicates an immediate shutdown. You should not call SSL_shutdown() after this. This is only for "normal" shutdowns. On receipt of a fatal alert you can simply close the connection immediately. No alert needs to be sent back.

> With my testing, I see my client gets "read SSL3 alert fatal unknown CA"
> after the call to SSL_connect finishes without error

An endpoint finishes its handshake after it has both sent and received a "Finished" message. This does not happen simultaneously on both endpoints at the same time. In TLSv1.3 the server sends its Finished message first. The client responds with its Certificate/CertificateVerify/Finished messages. At this point the client has completed its handshake (it has both sent and received a Finished message) and so SSL_connect returns successfully. The server however has not yet completed the handshake (it hasn't yet processed the final flight of messages including the Finished message from the client).

If the certificate sent by the client is not acceptable then it will respond with a fatal alert. The client won't see this until it next calls SSL_read. At this point SSL_read() will return an error and SSL_get_error() will indicate SSL_ERROR_SSL. You should just close the connection at this point without calling SSL_shutdown().


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux