TLS handshake problems

Metzler, Richard Richard.Metzler at
Thu Nov 27 09:21:25 CET 2008


currently I am testing a TLS connection using Gnu TLS 2.2.5.on server
and client side. For the TCP communication Diameter is used.

There are situations that on both sides the TLS handshake fails, e.g.
due to a wrong client certificate (Gnu TLS error code
NO_CERTIFICATE_FOUND). But in this special case the server finishes the
handshake with error and the client is still waiting in the handshake.
Now the server announces closing the connection to the client by sending
the Diameter disconnect message (DPR). This message is received by the
client Gnu TLS when expecting a TLS message, preventing a correct shut
down of the connection.
To avoid this problem I added a call to gnutls_alert_send_appropriate in
case the server finishes the handshake with errors. This helps to finish
the handshake on the client side in this case, but there are situations
when the handshake is finished on both sides with an error. Then the
additional alert message would be interpreted on the client side as
Diameter message which also is not correct.
My question is, is there a way for the server to decide whether the
alert has to be sent or not, i.e. to detect the state of the client -
maybe by evaluating the result code of the handshake?



LHS Telekommunikation GmbH & Co. KG, 
Address: Herriotstrasse 1, D-60528 Frankfurt, Germany, 
Phone +49 (0)69 2383 3000, Fax +49 (0)69 2383 5000
Commercial Register: Amtsgericht Frankfurt/Main - Registration Number HRA 42727
Personally Liable Partner: LHS Management GmbH - Registration Number HRB 75504
Amtsgericht Frankfurt/Main
Managing Directors: Wolfgang Kroh, Axel Barta, Dr. Jens Troetscher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081127/3c5048e4/attachment.htm>

More information about the Gnutls-devel mailing list