From 2ade4311bc8a606d9a0094428cdbfbb75762a68d Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 1 Mar 2022 10:05:26 +0100
Subject: [PATCH] tls-server: Use correct error alerts if client doesn't send a
 certificate

TLS 1.3 defines a specific alert for this and for TLS 1.2, RFC 5246,
section 7.4.6 defines handshake_failure as correct response.
---
 src/libtls/tls_server.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 4efe04e08..247fe76a6 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -713,7 +713,9 @@ static status_t process_certificate(private_tls_server_t *this,
 		else
 		{
 			DBG1(DBG_TLS, "no certificate sent by peer");
-			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			this->alert->add(this->alert, TLS_FATAL,
+							 this->tls->get_version_max(this->tls) > TLS_1_2 ?
+							 TLS_CERTIFICATE_REQUIRED : TLS_HANDSHAKE_FAILURE);
 			return NEED_MORE;
 		}
 	}
-- 
2.47.3