Next: , Previous: , Up: Introduction to TLS and DTLS   [Contents][Index]

3.4 The TLS alert protocol

The alert protocol is there to allow signals to be sent between peers. These signals are mostly used to inform the peer about the cause of a protocol failure. Some of these signals are used internally by the protocol and the application protocol does not have to cope with them (e.g. GNUTLS_A_CLOSE_NOTIFY), and others refer to the application protocol solely (e.g. GNUTLS_A_USER_CANCELLED). An alert signal includes a level indication which may be either fatal or warning (under TLS1.3 all alerts are fatal). Fatal alerts always terminate the current connection, and prevent future re-negotiations using the current session ID. All supported alert messages are summarized in the table below.

The alert messages are protected by the record protocol, thus the information that is included does not leak. You must take extreme care for the alert information not to leak to a possible attacker, via public log files etc.

AlertIDDescription
GNUTLS_A_CLOSE_NOTIFY0Close notify
GNUTLS_A_UNEXPECTED_MESSAGE10Unexpected message
GNUTLS_A_BAD_RECORD_MAC20Bad record MAC
GNUTLS_A_DECRYPTION_FAILED21Decryption failed
GNUTLS_A_RECORD_OVERFLOW22Record overflow
GNUTLS_A_DECOMPRESSION_FAILURE30Decompression failed
GNUTLS_A_HANDSHAKE_FAILURE40Handshake failed
GNUTLS_A_SSL3_NO_CERTIFICATE41No certificate (SSL 3.0)
GNUTLS_A_BAD_CERTIFICATE42Certificate is bad
GNUTLS_A_UNSUPPORTED_CERTIFICATE43Certificate is not supported
GNUTLS_A_CERTIFICATE_REVOKED44Certificate was revoked
GNUTLS_A_CERTIFICATE_EXPIRED45Certificate is expired
GNUTLS_A_CERTIFICATE_UNKNOWN46Unknown certificate
GNUTLS_A_ILLEGAL_PARAMETER47Illegal parameter
GNUTLS_A_UNKNOWN_CA48CA is unknown
GNUTLS_A_ACCESS_DENIED49Access was denied
GNUTLS_A_DECODE_ERROR50Decode error
GNUTLS_A_DECRYPT_ERROR51Decrypt error
GNUTLS_A_EXPORT_RESTRICTION60Export restriction
GNUTLS_A_PROTOCOL_VERSION70Error in protocol version
GNUTLS_A_INSUFFICIENT_SECURITY71Insufficient security
GNUTLS_A_INTERNAL_ERROR80Internal error
GNUTLS_A_INAPPROPRIATE_FALLBACK86Inappropriate fallback
GNUTLS_A_USER_CANCELED90User canceled
GNUTLS_A_NO_RENEGOTIATION100No renegotiation is allowed
GNUTLS_A_MISSING_EXTENSION109An extension was expected but was not seen
GNUTLS_A_UNSUPPORTED_EXTENSION110An unsupported extension was sent
GNUTLS_A_CERTIFICATE_UNOBTAINABLE111Could not retrieve the specified certificate
GNUTLS_A_UNRECOGNIZED_NAME112The server name sent was not recognized
GNUTLS_A_UNKNOWN_PSK_IDENTITY115The SRP/PSK username is missing or not known
GNUTLS_A_CERTIFICATE_REQUIRED116Certificate is required
GNUTLS_A_NO_APPLICATION_PROTOCOL120No supported application protocol could be negotiated

Next: The TLS handshake protocol, Previous: The TLS record protocol, Up: Introduction to TLS and DTLS   [Contents][Index]