tls-server: Use correct error alerts if client doesn't send a certificate

[people/ms/strongswan.git] / src / libtls / tls_server.c

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 4efe04e0828695df4d61ed6dcdb7f0961cef5989..247fe76a6449e3f68444039b68b535507faf87ba 100644 (file)
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -713,7 +713,9 @@ static status_t process_certificate(private_tls_server_t *this,
                else
                {
                        DBG1(DBG_TLS, "no certificate sent by peer");
-                       this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+                       this->alert->add(this->alert, TLS_FATAL,
+                                                        this->tls->get_version_max(this->tls) > TLS_1_2 ?
+                                                        TLS_CERTIFICATE_REQUIRED : TLS_HANDSHAKE_FAILURE);
                        return NEED_MORE;
                }
        }