Alert Protocol
This record should normally not be sent during normal handshaking or application exchanges. However, this message can be sent at any time during the handshake and up to the closure of the session. If this is used to signal a fatal error, the session will be closed immediately after sending this record, so this record is used to give a reason for this closure. If the alert level is flagged as a warning, the remote can decide to close the session if it decides that the session is not reliable enough for its needs (before doing so, the remote may also send its own signal).
+ | Byte +0 | Byte +1 | Byte +2 | Byte +3 | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Byte 0 |
21 | |||||||||||||||||||||||||||||||
Bytes 1..4 |
Version | Length | ||||||||||||||||||||||||||||||
(Major) | (Minor) | 0 | 2 | |||||||||||||||||||||||||||||
Bytes 5..6 |
Level | Description | ||||||||||||||||||||||||||||||
Bytes 7..(p-1) |
MAC (optional) | |||||||||||||||||||||||||||||||
Bytes p..(q-1) |
Padding (block ciphers only) |
- Level
- This field identifies the level of alert. If the level is fatal, the sender should close the session immediately. Otherwise, the recipient may decide to terminate the session itself, by sending its own fatal alert and closing the session itself immediately after sending it. The use of Alert records is optional, however if it is missing before the session closure, the session may be resumed automatically (with its handshakes).
- Normal closure of a session after termination of the transported application should preferably be alerted with at least the Close notify Alert type (with a simple warning level) to prevent such automatic resume of a new session. Signalling explicitly the normal closure of a secure session before effectively closing its transport layer is useful to prevent or detect attacks (like attempts to truncate the securely transported data, if it intrinsically does not have a predetermined length or duration that the recipient of the secured data may expect).
Code | Level type | Connection state |
---|---|---|
1 | warning | connection or security may be unstable. |
2 | fatal | connection or security may be compromised, or an unrecoverable error has occurred. |
- Description
- This field identifies which type of alert is being sent.
Code | Description | Level types | Note |
---|---|---|---|
0 | Close notify | warning/fatal | |
10 | Unexpected message | fatal | |
20 | Bad record MAC | fatal | Possibly a bad SSL implementation, or payload has been tampered with e. g. FTP firewall rule on FTPS server. |
21 | Decryption failed | fatal | TLS only, reserved |
22 | Record overflow | fatal | TLS only |
30 | Decompression failure | fatal | |
40 | Handshake failure | fatal | |
41 | No certificate | warning/fatal | SSL 3.0 only, reserved |
42 | Bad certificate | warning/fatal | |
43 | Unsupported certificate | warning/fatal | E. g. certificate has only Server authentication usage enabled and is presented as a client certificate |
44 | Certificate revoked | warning/fatal | |
45 | Certificate expired | warning/fatal | Check server certificate expire also check no certificate in the chain presented has expired |
46 | Certificate unknown | warning/fatal | |
47 | Illegal parameter | fatal | |
48 | Unknown CA (Certificate authority) | fatal | TLS only |
49 | Access denied | fatal | TLS only - E. g. no client certificate has been presented (TLS: Blank certificate message or SSLv3: No Certificate alert), but server is configured to require one. |
50 | Decode error | fatal | TLS only |
51 | Decrypt error | warning/fatal | TLS only |
60 | Export restriction | fatal | TLS only, reserved |
70 | Protocol version | fatal | TLS only |
71 | Insufficient security | fatal | TLS only |
80 | Internal error | fatal | TLS only |
90 | User cancelled | fatal | TLS only |
100 | No renegotiation | warning | TLS only |
110 | Unsupported extension | warning | TLS only |
111 | Certificate unobtainable | warning | TLS only |
112 | Unrecognized name | warning | TLS only; client's Server Name Indicator specified a hostname not supported by the server |
113 | Bad certificate status response | fatal | TLS only |
114 | Bad certificate hash value | fatal | TLS only |
115 | Unknown PSK identity (used in TLS-PSK and TLS-SRP) | fatal | TLS only |
Read more about this topic: Transport Layer Security, Security
Famous quotes containing the word alert:
“Ones prime is elusive. You little girls, when you grow up, must be on the alert to recognize your prime at whatever time of your life it may occur. You must then live it to the full.”
—Muriel Spark (b. 1918)