tls-errors(5)
NAME
tls-errors - BearSSL TLS and X.509 error codes
DESCRIPTION
MontaukOS uses BearSSL for TLS 1.2 connections. When a TLS
operation fails, an integer error code is reported. This page
lists all possible error codes.
SSL/TLS ENGINE ERRORS
0 BR_ERR_OK
No error.
1 BR_ERR_BAD_PARAM
Caller-provided parameter is incorrect.
2 BR_ERR_BAD_STATE
Operation cannot be applied in the current engine state.
3 BR_ERR_UNSUPPORTED_VERSION
Incoming protocol or record version is unsupported.
4 BR_ERR_BAD_VERSION
Incoming record version does not match the expected version.
5 BR_ERR_BAD_LENGTH
Incoming record length is invalid.
6 BR_ERR_TOO_LARGE
Incoming record is too large, or buffer is too small for the
handshake message to send.
7 BR_ERR_BAD_MAC
Decryption found invalid padding, or the record MAC is
not correct.
8 BR_ERR_NO_RANDOM
No initial entropy was provided and none could be obtained
from the OS.
9 BR_ERR_UNKNOWN_TYPE
Incoming record type is unknown.
10 BR_ERR_UNEXPECTED
Incoming record or message has wrong type for the current
engine state.
12 BR_ERR_BAD_CCS
ChangeCipherSpec message from the peer has invalid contents.
13 BR_ERR_BAD_ALERT
Alert message from the peer has invalid contents (odd length).
14 BR_ERR_BAD_HANDSHAKE
Incoming handshake message decoding failed.
15 BR_ERR_OVERSIZED_ID
ServerHello contains a session ID larger than 32 bytes.
16 BR_ERR_BAD_CIPHER_SUITE
Server wants to use a cipher suite that we did not advertise,
or we tried to advertise a cipher suite that we do not support.
17 BR_ERR_BAD_COMPRESSION
Server wants to use a compression method that we did not
advertise.
18 BR_ERR_BAD_FRAGLEN
Server's max fragment length does not match client's.
19 BR_ERR_BAD_SECRENEG
Secure renegotiation failed.
20 BR_ERR_EXTRA_EXTENSION
Server sent an extension type that we did not announce, or
used the same extension type more than once in ServerHello.
21 BR_ERR_BAD_SNI
Invalid Server Name Indication contents (when used by the
server, this extension shall be empty).
22 BR_ERR_BAD_HELLO_DONE
Invalid ServerHelloDone from the server (length is not 0).
23 BR_ERR_LIMIT_EXCEEDED
Internal limit exceeded (e.g. server's public key is too
large).
24 BR_ERR_BAD_FINISHED
Finished message from peer does not match the expected value.
25 BR_ERR_RESUME_MISMATCH
Session resumption attempted with a different version or
cipher suite.
26 BR_ERR_INVALID_ALGORITHM
Unsupported or invalid algorithm (ECDHE curve, signature
algorithm, hash function).
27 BR_ERR_BAD_SIGNATURE
Invalid signature on ServerKeyExchange or CertificateVerify.
28 BR_ERR_WRONG_KEY_USAGE
Peer's public key does not have the proper type or is not
allowed for the requested operation.
29 BR_ERR_NO_CLIENT_AUTH
Client did not send a certificate upon request, or the client
certificate could not be validated.
31 BR_ERR_IO
I/O error or premature close on the underlying transport.
X.509 CERTIFICATE ERRORS
32 BR_ERR_X509_OK
X.509 validation was successful (not an error).
33 BR_ERR_X509_INVALID_VALUE
Invalid value in an ASN.1 structure.
34 BR_ERR_X509_TRUNCATED
Truncated certificate.
35 BR_ERR_X509_EMPTY_CHAIN
Empty certificate chain (no certificate at all).
36 BR_ERR_X509_INNER_TRUNC
Inner element extends beyond outer element size.
37 BR_ERR_X509_BAD_TAG_CLASS
Unsupported tag class (application or private).
38 BR_ERR_X509_BAD_TAG_VALUE
Unsupported tag value.
39 BR_ERR_X509_INDEFINITE_LENGTH
Indefinite length encoding found.
40 BR_ERR_X509_EXTRA_ELEMENT
Extraneous element in certificate.
41 BR_ERR_X509_UNEXPECTED
Unexpected element in certificate.
42 BR_ERR_X509_NOT_CONSTRUCTED
Expected constructed element, but found primitive.
43 BR_ERR_X509_NOT_PRIMITIVE
Expected primitive element, but found constructed.
44 BR_ERR_X509_PARTIAL_BYTE
BIT STRING length is not a multiple of 8.
45 BR_ERR_X509_BAD_BOOLEAN
BOOLEAN value has invalid length.
46 BR_ERR_X509_OVERFLOW
Value is off-limits (overflow).
47 BR_ERR_X509_BAD_DN
Invalid distinguished name.
48 BR_ERR_X509_BAD_TIME
Invalid date/time representation in certificate.
49 BR_ERR_X509_UNSUPPORTED
Certificate contains unsupported features that cannot be
ignored.
50 BR_ERR_X509_LIMIT_EXCEEDED
Key or signature size exceeds internal limits.
51 BR_ERR_X509_WRONG_KEY_TYPE
Key type does not match that which was expected.
52 BR_ERR_X509_BAD_SIGNATURE
Signature is invalid.
53 BR_ERR_X509_TIME_UNKNOWN
Validation time is unknown (no time was set).
54 BR_ERR_X509_EXPIRED
Certificate is expired or not yet valid.
55 BR_ERR_X509_DN_MISMATCH
Issuer/subject DN mismatch in the chain.
56 BR_ERR_X509_BAD_SERVER_NAME
Expected server name was not found in the chain.
57 BR_ERR_X509_CRITICAL_EXTENSION
Unknown critical extension in certificate.
58 BR_ERR_X509_NOT_CA
Not a CA, or path length constraint violation.
59 BR_ERR_X509_FORBIDDEN_KEY_USAGE
Key Usage extension prohibits the intended usage.
60 BR_ERR_X509_WEAK_PUBLIC_KEY
Public key found in certificate is too small.
62 BR_ERR_X509_NOT_TRUSTED
Chain could not be linked to a trust anchor.
FATAL ALERTS
When a fatal alert is received from the peer, the error code
is 256 + the TLS alert value. When a fatal alert is sent to
the peer, the error code is 512 + the TLS alert value.
Common alert values:
0 close_notify
10 unexpected_message
20 bad_record_mac
40 handshake_failure
42 bad_certificate
43 unsupported_certificate
44 certificate_revoked
45 certificate_expired
46 certificate_unknown
47 illegal_parameter
48 unknown_ca
50 decode_error
51 decrypt_error
70 protocol_version
71 insufficient_security
80 internal_error
86 unrecognized_name
112 no_application_protocol
For example, error 296 means a handshake_failure alert was
received (256 + 40 = 296).
SEE ALSO
fetch(1), syscalls(2)