[gnutls-devel] GnuTLS | Amend error code when SNI name is not accepted (!891)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri Jan 25 18:14:51 CET 2019

Nikos Mavrogiannopoulos commented on a discussion on lib/ext/server_name.c:

>  			DECR_LEN(data_size, len);
>  			if (type == 0) { /* NAME_DNS */
> -				if (!_gnutls_dnsname_is_valid((char*)p, len))
> -					return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
> +				if (!_gnutls_dnsname_is_valid((char*)p, len)) {
> +					_gnutls_handshake_log
> +					    ("HSK[%p]: Server name is not acceptable: '%.*s'\n",
> +					     session, (int) len, p);
> +					return gnutls_assert_val(GNUTLS_E_UNRECOGNIZED_NAME);

> As @dueno pointed out in https://gitlab.com/gnutls/gnutls/issues/683#note_134637845, the standards demand `ILLEGAL_PARAMETER`. So I changed the return value back to `GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER` and just left the logging message in. It gives us an explanation what happened with `gnutls-serv -d 4`.

Note that the standards' requirements are on the alert returned to the peer. The error the application received is fully under our control. It is normal to return a descriptive error code to application and map it to a specific alert.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/891#note_135108701
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190125/93d00786/attachment.html>

More information about the Gnutls-devel mailing list