TLS handshake problems

[Metzler, Richard]

Hello,

currently I am testing a TLS connection using Gnu TLS 2.2.5.on server and client side. For the TCP communication Diameter is used.

There are situations that on both sides the TLS handshake fails, e.g. due to a wrong client certificate (Gnu TLS error code NO_CERTIFICATE_FOUND). But in this special case the server finishes the handshake with error and the client is still waiting in the handshake.

Now the server announces closing the connection to the client by sending the Diameter disconnect message (DPR). This message is received by the client Gnu TLS when expecting a TLS message, preventing a correct shut down of the connection.

To avoid this problem I added a call to gnutls_alert_send_appropriate in case the server finishes the handshake with errors. This helps to finish the handshake on the client side in this case, but there are situations when the handshake is finished on both sides with an error. Then the additional alert message would be interpreted on the client side as Diameter message which also is not correct.

My question is, is there a way for the server to decide whether the alert has to be sent or not, i.e. to detect the state of the client – maybe by evaluating the result code of the handshake?

Regards,

Richard

----------------------------------------------------------------------------------------------------------------------------------------

LHS Telekommunikation GmbH & Co. KG,

Address: Herriotstrasse 1, D-60528 Frankfurt, Germany,

Phone +49 (0)69 2383 3000, Fax +49 (0)69 2383 5000

Commercial Register: Amtsgericht Frankfurt/Main - Registration Number HRA 42727

Personally Liable Partner: LHS Management GmbH - Registration Number HRB 75504

Amtsgericht Frankfurt/Main

Managing Directors: Wolfgang Kroh, Axel Barta, Dr. Jens Troetscher

----------------------------------------------------------------------------------------------------------------------------------------