[Help-gnutls] Handling "normal" peer errors on invalid certs
Philip Kovacs
kovacsp3 at comcast.net
Tue Jun 12 17:26:53 CEST 2007
Hi. I'm new to GnuTLS. I'm using it for a client-server library and
I have a fairly basic question.
When my server is configured to require x.509 client certificates,
and the client either fails to send one, or sends an invalid one,
the server detects this error during its gnuttls_handshake() and
I have the server break off the connection, as desired.
The client's gnutls_handshake(), upon server break-off is returning
either GNUTLS_E_PUSH_ERROR or GNUTLS_E_UNEXPECTED_PACKET_LENGTH.
The server situation is similar: if the client detects an invalid
server certificate, I have the client break off the connection.
The server then sees GNUTLS_E_UNEXPECTED_PACKET_LENGTH in its (first)
gnutls_record_recv().
Is there something more I need to do in order to close the communication
down more "gracefully" in situations where certificate failures are seen?
Just seems odd to be handling GNUTLS_E_PUSH_ERROR or
GNUTLS_E_UNEXPECTED_PACKET_LENGTH "normally" when the other side doesn't
like the certificate.
I'm using GnuTLS 1.4.4 for the moment.
Thanks.
Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/attachments/20070612/8f831a2b/attachment.pgp>
More information about the Gnutls-help
mailing list