From 66ea149a963976c43983b13eb5177d7ce57d3b99 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Tue, 26 May 2020 14:29:01 +0200 Subject: [PATCH] daemon/tls: send fatal alert on handshake failure If the TLS handshake process fatally fails (e.g. no matching cipher suite / cert), sent an alert to notify the peer. --- NEWS | 1 + daemon/tls.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/NEWS b/NEWS index 6a4a6fc8d..94d1abe47 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,7 @@ Knot Resolver 5.x.y (2020-0m-dd) Bugfixes -------- - hints module: NODATA answers also for non-address queries (!1005) +- tls: send alert to peer if handshake fails (!1007) Knot Resolver 5.1.1 (2020-05-19) diff --git a/daemon/tls.c b/daemon/tls.c index c06cfc099..1c69a4b9d 100644 --- a/daemon/tls.c +++ b/daemon/tls.c @@ -253,6 +253,8 @@ static int tls_handshake(struct tls_common_ctx *ctx, tls_handshake_cb handshake_ kr_log_verbose("[%s] gnutls_handshake failed: %s (%d)\n", logstring, gnutls_strerror_name(err), err); + /* Notify the peer about handshake failure via an alert. */ + gnutls_alert_send_appropriate(ctx->tls_session, err); if (handshake_cb) { handshake_cb(session, -1); } -- 2.47.2