Re: [TLS] new error alerts?

Jeffrey Walton <> Thu, 23 July 2015 17:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DC7521B2A49 for <>; Thu, 23 Jul 2015 10:58:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BjjUc4ID0dpo for <>; Thu, 23 Jul 2015 10:58:13 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c03::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 457C91B2A45 for <>; Thu, 23 Jul 2015 10:58:13 -0700 (PDT)
Received: by iecri3 with SMTP id ri3so1835311iec.2 for <>; Thu, 23 Jul 2015 10:58:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=pst3wu0ZxHHMufizNbfxsIeiH1HteyaT4qO2Dg68cVs=; b=uj+O/3RseGRo7Un5hXs8O+gXHvWFPVQtW+s7kewaX+daDwFT2qIXE3JAeVyQDDYhHb 841aGaisjVxyrrdmjhetTg/xQ4yhJaswFuyokm5O2F6BuaJnaijAcWgRJZAqYFAdW1d8 WBSRUdLhDGDgeCBqnATfNHELaXpBmFsOhpXY1gtAuJw8Rc0eX0wTlGTB3bJo3RiHfQOs Zvoz1Hlb31ZItV9lD7jK5YxTe1lu/GNT1/b6aKr7f5TP0JYGtlZjHpmtjAWlzkgnvwT2 gcvOwRIN1N1EWjhVm11xoXiOUOM4Sr+qDbUnPXGrKJKHuT8J/5WXPPskSNTMQRslN0jj 4Uuw==
MIME-Version: 1.0
X-Received: by with SMTP id o26mr15070365ioi.3.1437664627538; Thu, 23 Jul 2015 08:17:07 -0700 (PDT)
Received: by with HTTP; Thu, 23 Jul 2015 08:17:07 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Thu, 23 Jul 2015 11:17:07 -0400
Message-ID: <>
From: Jeffrey Walton <>
To: Dave Garrett <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] new error alerts?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 23 Jul 2015 17:58:16 -0000

On Wed, Jul 22, 2015 at 9:39 PM, Dave Garrett <> wrote:
> Hubert Kairo found quite a few more spots in need of explicit error designations, which have been amended into PR #201.
> I just noticed one error in the current draft text that was wrong and added a fix for that as well. The Server Hello section said that lack of acceptable group would result in an "insufficient_security" error, which is incorrect. That error is clearly defined to be for lack of acceptable cipher suite. The Negotiated Groups section says lack of acceptable group is a “handshake_failure” error. I changed the text to state the error for suites, as the other is already noted elsewhere. (this change is now in PR #201) This brings up a problem, however: there is no distinct error for lack of group support. The “handshake_failure” is a bit of a catchall, so there's no way for a client to really know what's wrong if this happens. This is also why I don't want to change the definition of the "insufficient_security" error. Clients rely on these being relatively precise in order to show error messages that are hopefully meaningful enough to get them fixed. As such, I'd like to propose adding a new error just for this and renaming the old one to focus precisely on its long defined meaning. While we're at it, a failure of client authentication doesn't have its own error alert code either.
>   enum {
>        handshake_failure(40),
>        unsupported_cipher_suites(71),  /* formerly insufficient_security */
>        unsupported_dh_groups(72),  /* new */
>        client_authentication_failure(73),  /* new */
>        (255)
>    } AlertDescription;
> Pretty straightforward. Are there any other errors that can't be clearly identified by the returned code? Debugging shouldn't be guesswork. ;)
Alert 40 shows up frequently in my debugging experiences. A few things
can cause it. It would be nice to see that one broken out.