From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 1 Mar 2022 09:05:26 +0000 (+0100)
Subject: tls-server: Use correct error alerts if client doesn't send a certificate
X-Git-Tag: 5.9.6rc1~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2ade4311bc8a606d9a0094428cdbfbb75762a68d;p=thirdparty%2Fstrongswan.git

tls-server: Use correct error alerts if client doesn't send a certificate

TLS 1.3 defines a specific alert for this and for TLS 1.2, RFC 5246,
section 7.4.6 defines handshake_failure as correct response.
---

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 4efe04e082..247fe76a64 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -713,7 +713,9 @@ static status_t process_certificate(private_tls_server_t *this,
 		else
 		{
 			DBG1(DBG_TLS, "no certificate sent by peer");
-			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			this->alert->add(this->alert, TLS_FATAL,
+							 this->tls->get_version_max(this->tls) > TLS_1_2 ?
+							 TLS_CERTIFICATE_REQUIRED : TLS_HANDSHAKE_FAILURE);
 			return NEED_MORE;
 		}
 	}