daemon/tls: send fatal alert on handshake failure

If the TLS handshake process fatally fails (e.g. no matching cipher
suite / cert), sent an alert to notify the peer.

diff --git a/NEWS b/NEWS
index 6a4a6fc8d6db0dcd468d6f5a0dd61ac12a6f1389..94d1abe47a94d68c8d82acd21858c37e4db09584 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@ Knot Resolver 5.x.y (2020-0m-dd)
 Bugfixes
 --------
 - hints module: NODATA answers also for non-address queries (!1005)
+- tls: send alert to peer if handshake fails (!1007)
 
 
 Knot Resolver 5.1.1 (2020-05-19)

diff --git a/daemon/tls.c b/daemon/tls.c
index c06cfc09923e3805d879902a2ef96c252addb97c..1c69a4b9dd0334ea11fb2aa252b94f04412b9acf 100644 (file)
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -253,6 +253,8 @@ static int tls_handshake(struct tls_common_ctx *ctx, tls_handshake_cb handshake_
                kr_log_verbose("[%s] gnutls_handshake failed: %s (%d)\n",
                             logstring,
                             gnutls_strerror_name(err), err);
+               /* Notify the peer about handshake failure via an alert. */
+               gnutls_alert_send_appropriate(ctx->tls_session, err);
                if (handshake_cb) {
                        handshake_cb(session, -1);
                }