]> git.ipfire.org Git - people/ms/strongswan.git/commitdiff
projects / people / ms / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3eecd40)
tls-server: Use correct error alerts if client doesn't send a certificate
authorTobias Brunner <tobias@strongswan.org>
Tue, 1 Mar 2022 09:05:26 +0000 (10:05 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 1 Mar 2022 09:05:26 +0000 (10:05 +0100)
TLS 1.3 defines a specific alert for this and for TLS 1.2, RFC 5246,
section 7.4.6 defines handshake_failure as correct response.

src/libtls/tls_server.c patch | blob | blame | history

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 4efe04e0828695df4d61ed6dcdb7f0961cef5989..247fe76a6449e3f68444039b68b535507faf87ba 100644 (file)
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -713,7 +713,9 @@ static status_t process_certificate(private_tls_server_t *this,
                else
                {
                        DBG1(DBG_TLS, "no certificate sent by peer");
-                       this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+                       this->alert->add(this->alert, TLS_FATAL,
+                                                        this->tls->get_version_max(this->tls) > TLS_1_2 ?
+                                                        TLS_CERTIFICATE_REQUIRED : TLS_HANDSHAKE_FAILURE);
                        return NEED_MORE;
                }
        }
Michael's strongswan development tree