[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TLS handshake problems
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: TLS handshake problems |
|
Date: |
Sat, 29 Nov 2008 10:22:17 +0200 |
|
User-agent: |
Thunderbird 2.0.0.18 (X11/20081125) |
Metzler, Richard wrote:
> Hello,
>
> currently I am testing a TLS connection using Gnu TLS 2.2.5.on server
> and client side. For the TCP communication Diameter is used.
>
> There are situations that on both sides the TLS handshake fails, e.g.
> due to a wrong client certificate (Gnu TLS error code
> NO_CERTIFICATE_FOUND). But in this special case the server finishes the
> handshake with error and the client is still waiting in the handshake.
> Now the server announces closing the connection to the client by sending
> the Diameter disconnect message (DPR). This message is received by the
> client Gnu TLS when expecting a TLS message, preventing a correct shut
> down of the connection.
> To avoid this problem I added a call to gnutls_alert_send_appropriate in
> case the server finishes the handshake with errors. This helps to finish
> the handshake on the client side in this case, but there are situations
> when the handshake is finished on both sides with an error. Then the
> additional alert message would be interpreted on the client side as
> Diameter message which also is not correct.
> My question is, is there a way for the server to decide whether the
> alert has to be sent or not, i.e. to detect the state of the client -
> maybe by evaluating the result code of the handshake?
No. If the connection fails for some reason you should not try to reuse it.
regards,
Nikos