Next: The TLS Handshake Protocol, Previous: The TLS record protocol, Up: Introduction to TLS [Contents][Index]
The alert protocol is there to allow signals to be sent between peers.
These signals are mostly used to inform the peer about the cause of a
protocol failure. Some of these signals are used internally by the
protocol and the application protocol does not have to cope with them
(e.g. GNUTLS_A_CLOSE_NOTIFY), and others refer to the
application protocol solely (e.g. GNUTLS_A_USER_CANCELLED). An
alert signal includes a level indication which may be either fatal or
warning (under TLS1.3 all alerts are fatal). Fatal alerts always terminate
the current connection, and prevent future re-negotiations using the current
session ID. All supported alert messages are summarized in the table below.
The alert messages are protected by the record protocol, thus the information that is included does not leak. You must take extreme care for the alert information not to leak to a possible attacker, via public log files etc.
| Alert | ID | Description |
|---|---|---|
| GNUTLS_A_CLOSE_NOTIFY | 0 | Close notify |
| GNUTLS_A_UNEXPECTED_MESSAGE | 10 | Unexpected message |
| GNUTLS_A_BAD_RECORD_MAC | 20 | Bad record MAC |
| GNUTLS_A_DECRYPTION_FAILED | 21 | Decryption failed |
| GNUTLS_A_RECORD_OVERFLOW | 22 | Record overflow |
| GNUTLS_A_DECOMPRESSION_FAILURE | 30 | Decompression failed |
| GNUTLS_A_HANDSHAKE_FAILURE | 40 | Handshake failed |
| GNUTLS_A_SSL3_NO_CERTIFICATE | 41 | No certificate (SSL 3.0) |
| GNUTLS_A_BAD_CERTIFICATE | 42 | Certificate is bad |
| GNUTLS_A_UNSUPPORTED_CERTIFICATE | 43 | Certificate is not supported |
| GNUTLS_A_CERTIFICATE_REVOKED | 44 | Certificate was revoked |
| GNUTLS_A_CERTIFICATE_EXPIRED | 45 | Certificate is expired |
| GNUTLS_A_CERTIFICATE_UNKNOWN | 46 | Unknown certificate |
| GNUTLS_A_ILLEGAL_PARAMETER | 47 | Illegal parameter |
| GNUTLS_A_UNKNOWN_CA | 48 | CA is unknown |
| GNUTLS_A_ACCESS_DENIED | 49 | Access was denied |
| GNUTLS_A_DECODE_ERROR | 50 | Decode error |
| GNUTLS_A_DECRYPT_ERROR | 51 | Decrypt error |
| GNUTLS_A_EXPORT_RESTRICTION | 60 | Export restriction |
| GNUTLS_A_PROTOCOL_VERSION | 70 | Error in protocol version |
| GNUTLS_A_INSUFFICIENT_SECURITY | 71 | Insufficient security |
| GNUTLS_A_INTERNAL_ERROR | 80 | Internal error |
| GNUTLS_A_INAPPROPRIATE_FALLBACK | 86 | Inappropriate fallback |
| GNUTLS_A_USER_CANCELED | 90 | User canceled |
| GNUTLS_A_NO_RENEGOTIATION | 100 | No renegotiation is allowed |
| GNUTLS_A_MISSING_EXTENSION | 109 | An extension was expected but was not seen |
| GNUTLS_A_UNSUPPORTED_EXTENSION | 110 | An unsupported extension was sent |
| GNUTLS_A_CERTIFICATE_UNOBTAINABLE | 111 | Could not retrieve the specified certificate |
| GNUTLS_A_UNRECOGNIZED_NAME | 112 | The server name sent was not recognized |
| GNUTLS_A_UNKNOWN_PSK_IDENTITY | 115 | The SRP/PSK username is missing or not known |
| GNUTLS_A_CERTIFICATE_REQUIRED | 116 | Certificate is required |
| GNUTLS_A_NO_APPLICATION_PROTOCOL | 120 | No supported application protocol could be negotiated |
Next: The TLS Handshake Protocol, Previous: The TLS record protocol, Up: Introduction to TLS [Contents][Index]