This section defines new error alerts for use with the TLS extensions
defined in this document.
The following new error alerts are defined. To avoid "breaking"
existing clients and servers, these alerts MUST NOT be sent unless
the sending party has received an extended hello message from the
party they are communicating with.
- "unsupported_extension": this alert is sent by clients that
receive an extended server hello containing an extension that they
did not put in the corresponding client hello (see Section 2.3).
This message is always fatal.
- "unrecognized_name": this alert is sent by servers that receive a
server_name extension request, but do not recognize the server
name. This message MAY be fatal.
- "certificate_unobtainable": this alert is sent by servers who are
unable to retrieve a certificate chain from the URL supplied by
the client (see Section 3.3). This message MAY be fatal; for
example, if client authentication is required by the server for
the handshake to continue and the server is unable to retrieve the
certificate chain, it may send a fatal alert.
- "bad_certificate_status_response": this alert is sent by clients
that receive an invalid certificate status response (see Section
3.6). This message is always fatal.
- "bad_certificate_hash_value": this alert is sent by servers when a
certificate hash does not match a client-provided
certificate_hash. This message is always fatal.
These error alerts are conveyed using the following syntax:
enum {
close_notify(0),
unexpected_message(10),
bad_record_mac(20),
decryption_failed(21),
record_overflow(22),
decompression_failure(30),
handshake_failure(40),
/* 41 is not defined, for historical reasons */
bad_certificate(42),
unsupported_certificate(43),
certificate_revoked(44),
certificate_expired(45),
certificate_unknown(46),
illegal_parameter(47),
unknown_ca(48),
access_denied(49),
decode_error(50),
decrypt_error(51),
export_restriction(60),
protocol_version(70),
insufficient_security(71),
internal_error(80),
user_canceled(90),
no_renegotiation(100),
unsupported_extension(110), /* new */
certificate_unobtainable(111), /* new */
unrecognized_name(112), /* new */
bad_certificate_status_response(113), /* new */
bad_certificate_hash_value(114), /* new */
(255)
} AlertDescription;
