tls-errors(5)


NAME
    tls-errors - BearSSL TLS and X.509 error codes

DESCRIPTION
    MontaukOS uses BearSSL for TLS 1.2 connections. When a TLS
    operation fails, an integer error code is reported. This page
    lists all possible error codes.

SSL/TLS ENGINE ERRORS

0  BR_ERR_OK
    No error.

1  BR_ERR_BAD_PARAM
    Caller-provided parameter is incorrect.

2  BR_ERR_BAD_STATE
    Operation cannot be applied in the current engine state.

3  BR_ERR_UNSUPPORTED_VERSION
    Incoming protocol or record version is unsupported.

4  BR_ERR_BAD_VERSION
    Incoming record version does not match the expected version.

5  BR_ERR_BAD_LENGTH
    Incoming record length is invalid.

6  BR_ERR_TOO_LARGE
    Incoming record is too large, or buffer is too small for the
    handshake message to send.

7  BR_ERR_BAD_MAC
    Decryption found invalid padding, or the record MAC is
    not correct.

8  BR_ERR_NO_RANDOM
    No initial entropy was provided and none could be obtained
    from the OS.

9  BR_ERR_UNKNOWN_TYPE
    Incoming record type is unknown.

10 BR_ERR_UNEXPECTED
    Incoming record or message has wrong type for the current
    engine state.

12 BR_ERR_BAD_CCS
    ChangeCipherSpec message from the peer has invalid contents.

13 BR_ERR_BAD_ALERT
    Alert message from the peer has invalid contents (odd length).

14 BR_ERR_BAD_HANDSHAKE
    Incoming handshake message decoding failed.

15 BR_ERR_OVERSIZED_ID
    ServerHello contains a session ID larger than 32 bytes.

16 BR_ERR_BAD_CIPHER_SUITE
    Server wants to use a cipher suite that we did not advertise,
    or we tried to advertise a cipher suite that we do not support.

17 BR_ERR_BAD_COMPRESSION
    Server wants to use a compression method that we did not
    advertise.

18 BR_ERR_BAD_FRAGLEN
    Server's max fragment length does not match client's.

19 BR_ERR_BAD_SECRENEG
    Secure renegotiation failed.

20 BR_ERR_EXTRA_EXTENSION
    Server sent an extension type that we did not announce, or
    used the same extension type more than once in ServerHello.

21 BR_ERR_BAD_SNI
    Invalid Server Name Indication contents (when used by the
    server, this extension shall be empty).

22 BR_ERR_BAD_HELLO_DONE
    Invalid ServerHelloDone from the server (length is not 0).

23 BR_ERR_LIMIT_EXCEEDED
    Internal limit exceeded (e.g. server's public key is too
    large).

24 BR_ERR_BAD_FINISHED
    Finished message from peer does not match the expected value.

25 BR_ERR_RESUME_MISMATCH
    Session resumption attempted with a different version or
    cipher suite.

26 BR_ERR_INVALID_ALGORITHM
    Unsupported or invalid algorithm (ECDHE curve, signature
    algorithm, hash function).

27 BR_ERR_BAD_SIGNATURE
    Invalid signature on ServerKeyExchange or CertificateVerify.

28 BR_ERR_WRONG_KEY_USAGE
    Peer's public key does not have the proper type or is not
    allowed for the requested operation.

29 BR_ERR_NO_CLIENT_AUTH
    Client did not send a certificate upon request, or the client
    certificate could not be validated.

31 BR_ERR_IO
    I/O error or premature close on the underlying transport.

X.509 CERTIFICATE ERRORS

32 BR_ERR_X509_OK
    X.509 validation was successful (not an error).

33 BR_ERR_X509_INVALID_VALUE
    Invalid value in an ASN.1 structure.

34 BR_ERR_X509_TRUNCATED
    Truncated certificate.

35 BR_ERR_X509_EMPTY_CHAIN
    Empty certificate chain (no certificate at all).

36 BR_ERR_X509_INNER_TRUNC
    Inner element extends beyond outer element size.

37 BR_ERR_X509_BAD_TAG_CLASS
    Unsupported tag class (application or private).

38 BR_ERR_X509_BAD_TAG_VALUE
    Unsupported tag value.

39 BR_ERR_X509_INDEFINITE_LENGTH
    Indefinite length encoding found.

40 BR_ERR_X509_EXTRA_ELEMENT
    Extraneous element in certificate.

41 BR_ERR_X509_UNEXPECTED
    Unexpected element in certificate.

42 BR_ERR_X509_NOT_CONSTRUCTED
    Expected constructed element, but found primitive.

43 BR_ERR_X509_NOT_PRIMITIVE
    Expected primitive element, but found constructed.

44 BR_ERR_X509_PARTIAL_BYTE
    BIT STRING length is not a multiple of 8.

45 BR_ERR_X509_BAD_BOOLEAN
    BOOLEAN value has invalid length.

46 BR_ERR_X509_OVERFLOW
    Value is off-limits (overflow).

47 BR_ERR_X509_BAD_DN
    Invalid distinguished name.

48 BR_ERR_X509_BAD_TIME
    Invalid date/time representation in certificate.

49 BR_ERR_X509_UNSUPPORTED
    Certificate contains unsupported features that cannot be
    ignored.

50 BR_ERR_X509_LIMIT_EXCEEDED
    Key or signature size exceeds internal limits.

51 BR_ERR_X509_WRONG_KEY_TYPE
    Key type does not match that which was expected.

52 BR_ERR_X509_BAD_SIGNATURE
    Signature is invalid.

53 BR_ERR_X509_TIME_UNKNOWN
    Validation time is unknown (no time was set).

54 BR_ERR_X509_EXPIRED
    Certificate is expired or not yet valid.

55 BR_ERR_X509_DN_MISMATCH
    Issuer/subject DN mismatch in the chain.

56 BR_ERR_X509_BAD_SERVER_NAME
    Expected server name was not found in the chain.

57 BR_ERR_X509_CRITICAL_EXTENSION
    Unknown critical extension in certificate.

58 BR_ERR_X509_NOT_CA
    Not a CA, or path length constraint violation.

59 BR_ERR_X509_FORBIDDEN_KEY_USAGE
    Key Usage extension prohibits the intended usage.

60 BR_ERR_X509_WEAK_PUBLIC_KEY
    Public key found in certificate is too small.

62 BR_ERR_X509_NOT_TRUSTED
    Chain could not be linked to a trust anchor.

FATAL ALERTS
    When a fatal alert is received from the peer, the error code
    is 256 + the TLS alert value. When a fatal alert is sent to
    the peer, the error code is 512 + the TLS alert value.

    Common alert values:
        0   close_notify
       10   unexpected_message
       20   bad_record_mac
       40   handshake_failure
       42   bad_certificate
       43   unsupported_certificate
       44   certificate_revoked
       45   certificate_expired
       46   certificate_unknown
       47   illegal_parameter
       48   unknown_ca
       50   decode_error
       51   decrypt_error
       70   protocol_version
       71   insufficient_security
       80   internal_error
       86   unrecognized_name
      112   no_application_protocol

    For example, error 296 means a handshake_failure alert was
    received (256 + 40 = 296).

SEE ALSO
    fetch(1), syscalls(2)

Back to Documentation Index