SSL_alert_type_string(3) - NetBSD Manual Pages




SSL_alert_type_string(3)     OpenSSL     SSL_alert_type_string(3)



NAME
SSL_alert_type_string, SSL_alert_type_string_long, SSL_alert_desc_string, SSL_alert_desc_string_long - get textual description of alert information
LIBRARY
libcrypto, -lcrypto
SYNOPSIS
#include <openssl/ssl.h> char *SSL_alert_type_string(int value); char *SSL_alert_type_string_long(int value); char *SSL_alert_desc_string(int value); char *SSL_alert_desc_string_long(int value);
DESCRIPTION
SSL_alert_type_string() returns a one letter string indi- cating the type of the alert specified by value. SSL_alert_type_string_long() returns a string indicating the type of the alert specified by value. SSL_alert_desc_string() returns a two letter string as a short form describing the reason of the alert specified by value. SSL_alert_desc_string_long() returns a string describing the reason of the alert specified by value.
NOTES
When one side of an SSL/TLS communication wants to inform the peer about a special situation, it sends an alert. The alert is sent as a special message and does not influence the normal data stream (unless its contents results in the communication being canceled). A warning alert is sent, when a non-fatal error condition occurs. The "close notify" alert is sent as a warning alert. Other examples for non-fatal errors are certificate errors ("certificate expired", "unsupported certificate"), for which a warning alert may be sent. (The sending party may however decide to send a fatal error.) The receiving side may cancel the connection on reception of a warning alert on it discretion. Several alert messages must be sent as fatal alert mes- sages as specified by the TLS RFC. A fatal alert always leads to a connection abort.
RETURN VALUES
The following strings can occur for 2002-08-05 0.9.6g 1 SSL_alert_type_string(3) OpenSSL SSL_alert_type_string(3) SSL_alert_type_string() or SSL_alert_type_string_long(): ""W""/""warning"" ""F""/""fatal"" ""U""/""unknown"" This indicates that no support is available for this alert type. Probably value does not contain a correct alert message. The following strings can occur for SSL_alert_desc_string() or SSL_alert_desc_string_long(): ""CN""/""close notify"" The connection shall be closed. This is a warning alert. ""UM""/""unexpected message"" An inappropriate message was received. This alert is always fatal and should never be observed in communi- cation between proper implementations. ""BM""/""bad record mac"" This alert is returned if a record is received with an incorrect MAC. This message is always fatal. ""DF""/""decompression failure"" The decompression function received improper input (e.g. data that would expand to excessive length). This message is always fatal. ""HF""/""handshake failure"" Reception of a handshake_failure alert message indi- cates that the sender was unable to negotiate an acceptable set of security parameters given the options available. This is a fatal error. ""NC""/""no certificate"" A client, that was asked to send a certificate, does not send a certificate (SSLv3 only). ""BC""/""bad certificate"" A certificate was corrupt, contained signatures that did not verify correctly, etc ""UC""/""unsupported certificate"" A certificate was of an unsupported type. ""CR""/""certificate revoked"" A certificate was revoked by its signer. ""CE""/""certificate expired"" A certificate has expired or is not currently valid. 2002-08-05 0.9.6g 2 SSL_alert_type_string(3) OpenSSL SSL_alert_type_string(3) ""CU""/""certificate unknown"" Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable. ""IP""/""illegal parameter"" A field in the handshake was out of range or inconsis- tent with other fields. This is always fatal. ""DC""/""decryption failed"" A TLSCiphertext decrypted in an invalid way: either it wasn't an even multiple of the block length or its padding values, when checked, weren't correct. This message is always fatal. ""RO""/""record overflow"" A TLSCiphertext record was received which had a length more than 2^14+2048 bytes, or a record decrypted to a TLSCompressed record with more than 2^14+1024 bytes. This message is always fatal. ""CA""/""unknown CA"" A valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not be located or couldn't be matched with a known, trusted CA. This message is always fatal. ""AD""/""access denied"" A valid certificate was received, but when access con- trol was applied, the sender decided not to proceed with negotiation. This message is always fatal. ""DE""/""decode error"" A message could not be decoded because some field was out of the specified range or the length of the mes- sage was incorrect. This message is always fatal. ""CY""/""decrypt error"" A handshake cryptographic operation failed, including being unable to correctly verify a signature, decrypt a key exchange, or validate a finished message. ""ER""/""export restriction"" A negotiation not in compliance with export restric- tions was detected; for example, attempting to trans- fer a 1024 bit ephemeral RSA key for the RSA_EXPORT handshake method. This message is always fatal. ""PV""/""protocol version"" The protocol version the client has attempted to nego- tiate is recognized, but not supported. (For example, old protocol versions might be avoided for security reasons). This message is always fatal. 2002-08-05 0.9.6g 3 SSL_alert_type_string(3) OpenSSL SSL_alert_type_string(3) ""IS""/""insufficient security"" Returned instead of handshake_failure when a negotia- tion has failed specifically because the server requires ciphers more secure than those supported by the client. This message is always fatal. ""IE""/""internal error"" An internal error unrelated to the peer or the cor- rectness of the protocol makes it impossible to con- tinue (such as a memory allocation failure). This mes- sage is always fatal. ""US""/""user canceled"" This handshake is being canceled for some reason unre- lated to a protocol failure. If the user cancels an operation after the handshake is complete, just clos- ing the connection by sending a close_notify is more appropriate. This alert should be followed by a close_notify. This message is generally a warning. ""NR""/""no renegotiation"" Sent by the client in response to a hello request or by the server in response to a client hello after ini- tial handshaking. Either of these would normally lead to renegotiation; when that is not appropriate, the recipient should respond with this alert; at that point, the original requester can decide whether to proceed with the connection. One case where this would be appropriate would be where a server has spawned a process to satisfy a request; the process might receive security parameters (key length, authentica- tion, etc.) at startup and it might be difficult to communicate changes to these parameters after that point. This message is always a warning. ""UK""/""unknown"" This indicates that no description is available for this alert type. Probably value does not contain a correct alert message.
SEE ALSO
ssl(3), SSL_CTX_set_info_callback(3) 2002-08-05 0.9.6g 4

Powered by man-cgi (2024-08-26). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.