Send alert messages on handshake failures #62

zinid · 2024-01-09T15:54:33Z

When SSL_do_handshake() fails we should send data even when SSL_ERROR_WANT_WRITE is not reported (because a final error such as "unsupported protocol" is reported).

If we don't do it, we don't send handshake alerts toward the peer and as a consequence:

We formally violate RFC 5246, appendix E.1:

If server supports (or is willing to use) only versions greater
than client_version, it MUST send a "protocol_version" alert message
and close the connection.
We are complicating the debugging of the protocol.
We don't give a hint to a peer on how to proceed with the error.

This commit fixes it.

When SSL_do_handshake() fails we should send data even when SSL_ERROR_WANT_WRITE is not reported (because a final error such as "unsupported protocol" is reported). If we don't do it, we don't send handshake alerts toward the peer and as a consequence: - We formally violate RFC 5246, appendix E.1: > If server supports (or is willing to use) only versions greater > than client_version, it MUST send a "protocol_version" alert message > and close the connection. - We are complicating the debugging of the protocol. - We don't give a hint to a peer on how to proceed with the error. This commit fixes it.

coveralls · 2024-01-09T15:56:46Z

coverage: 57.285% (+0.3%) from 56.971%
when pulling f83322c on zinid:send-handshake-failure
into 4ae9adf on processone:master.

alexeyshch merged commit 82d4e5b into processone:master Jan 9, 2024
5 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Send alert messages on handshake failures #62

Send alert messages on handshake failures #62

zinid commented Jan 9, 2024

coveralls commented Jan 9, 2024

Send alert messages on handshake failures #62

Send alert messages on handshake failures #62

Conversation

zinid commented Jan 9, 2024

coveralls commented Jan 9, 2024