TLS handshake problems
nmav at gnutls.org
Sat Nov 29 09:22:17 CET 2008
Metzler, Richard wrote:
> currently I am testing a TLS connection using Gnu TLS 2.2.5.on server
> and client side. For the TCP communication Diameter is used.
> There are situations that on both sides the TLS handshake fails, e.g.
> due to a wrong client certificate (Gnu TLS error code
> NO_CERTIFICATE_FOUND). But in this special case the server finishes the
> handshake with error and the client is still waiting in the handshake.
> Now the server announces closing the connection to the client by sending
> the Diameter disconnect message (DPR). This message is received by the
> client Gnu TLS when expecting a TLS message, preventing a correct shut
> down of the connection.
> To avoid this problem I added a call to gnutls_alert_send_appropriate in
> case the server finishes the handshake with errors. This helps to finish
> the handshake on the client side in this case, but there are situations
> when the handshake is finished on both sides with an error. Then the
> additional alert message would be interpreted on the client side as
> Diameter message which also is not correct.
> My question is, is there a way for the server to decide whether the
> alert has to be sent or not, i.e. to detect the state of the client -
> maybe by evaluating the result code of the handshake?
No. If the connection fails for some reason you should not try to reuse it.
More information about the Gnutls-devel