TLS handshake problems
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sat Nov 29 09:22:17 CET 2008
Metzler, Richard wrote:
> Hello,
>
> currently I am testing a TLS connection using Gnu TLS 2.2.5.on server
> and client side. For the TCP communication Diameter is used.
>
> There are situations that on both sides the TLS handshake fails, e.g.
> due to a wrong client certificate (Gnu TLS error code
> NO_CERTIFICATE_FOUND). But in this special case the server finishes the
> handshake with error and the client is still waiting in the handshake.
> Now the server announces closing the connection to the client by sending
> the Diameter disconnect message (DPR). This message is received by the
> client Gnu TLS when expecting a TLS message, preventing a correct shut
> down of the connection.
> To avoid this problem I added a call to gnutls_alert_send_appropriate in
> case the server finishes the handshake with errors. This helps to finish
> the handshake on the client side in this case, but there are situations
> when the handshake is finished on both sides with an error. Then the
> additional alert message would be interpreted on the client side as
> Diameter message which also is not correct.
> My question is, is there a way for the server to decide whether the
> alert has to be sent or not, i.e. to detect the state of the client -
> maybe by evaluating the result code of the handshake?
No. If the connection fails for some reason you should not try to reuse it.
regards,
Nikos
More information about the Gnutls-devel
mailing list