Files
MontaukOS/montaukos.org/docs/man/tls-errors.html
T
2026-07-09 11:32:27 +02:00

335 lines
9.7 KiB
HTML

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="MontaukOS manual page: tls-errors(5) - BearSSL TLS and X.509 error codes">
<title>tls-errors(5) - MontaukOS Manual</title>
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=Open+Sans:wght@400;600&display=swap" rel="stylesheet">
<style>
body {
font-family: 'Open Sans', Arial, sans-serif;
max-width: 960px;
margin: 0 auto;
padding: 1em;
line-height: 1.5;
display: flex;
gap: 2em;
}
p { margin: 0 0 0.5em; }
h2 { margin: 0.5em 0; }
.sidebar {
width: 160px;
flex-shrink: 0;
}
.sidebar ul {
list-style: none;
padding: 0;
}
.sidebar li {
margin: 0.5em 0;
}
.sidebar a {
color: #0066CC;
text-decoration: none;
font-weight: 600;
}
.sidebar a:hover {
color: #004499;
text-decoration: underline;
}
.sidebar .current {
color: #004499;
}
.sidebar hr {
border: none;
border-top: 1px solid #999;
margin: 0.75em 0;
}
.main {
flex: 1;
min-width: 0;
}
a { color: #0000EE; }
a:visited { color: #0066CC; }
hr { border-style: solid; border-width: 1px 0 0 0; border-color: #999; }
pre { background: #f0f0f0; padding: 0.5em; overflow-x: auto; }
code { background: #f0f0f0; padding: 0 0.15em; }
pre code { padding: 0; }
.center { text-align: center; }
.box {
border: 1px solid #999;
padding: 0.5em;
margin: 0.5em 0;
}
</style>
</head>
<body>
<div class="sidebar">
<ul>
<li><a href="../../index.html">Home</a></li>
<li><a href="../index.html">Documentation</a></li>
</ul>
<hr>
<ul>
<li><a href="index.html" class="current">Man Pages</a></li>
</ul>
</div>
<div class="main">
<div class="center">
<h1>tls-errors(5)</h1>
</div>
<hr>
<pre><code><strong>NAME</strong>
tls-errors - BearSSL TLS and X.509 error codes
<strong>DESCRIPTION</strong>
MontaukOS uses BearSSL for TLS 1.2 connections. When a TLS
operation fails, an integer error code is reported. This page
lists all possible error codes.
<strong>SSL/TLS ENGINE ERRORS</strong>
<strong>0 BR_ERR_OK</strong>
No error.
<strong>1 BR_ERR_BAD_PARAM</strong>
Caller-provided parameter is incorrect.
<strong>2 BR_ERR_BAD_STATE</strong>
Operation cannot be applied in the current engine state.
<strong>3 BR_ERR_UNSUPPORTED_VERSION</strong>
Incoming protocol or record version is unsupported.
<strong>4 BR_ERR_BAD_VERSION</strong>
Incoming record version does not match the expected version.
<strong>5 BR_ERR_BAD_LENGTH</strong>
Incoming record length is invalid.
<strong>6 BR_ERR_TOO_LARGE</strong>
Incoming record is too large, or buffer is too small for the
handshake message to send.
<strong>7 BR_ERR_BAD_MAC</strong>
Decryption found invalid padding, or the record MAC is
not correct.
<strong>8 BR_ERR_NO_RANDOM</strong>
No initial entropy was provided and none could be obtained
from the OS.
<strong>9 BR_ERR_UNKNOWN_TYPE</strong>
Incoming record type is unknown.
<strong>10 BR_ERR_UNEXPECTED</strong>
Incoming record or message has wrong type for the current
engine state.
<strong>12 BR_ERR_BAD_CCS</strong>
ChangeCipherSpec message from the peer has invalid contents.
<strong>13 BR_ERR_BAD_ALERT</strong>
Alert message from the peer has invalid contents (odd length).
<strong>14 BR_ERR_BAD_HANDSHAKE</strong>
Incoming handshake message decoding failed.
<strong>15 BR_ERR_OVERSIZED_ID</strong>
ServerHello contains a session ID larger than 32 bytes.
<strong>16 BR_ERR_BAD_CIPHER_SUITE</strong>
Server wants to use a cipher suite that we did not advertise,
or we tried to advertise a cipher suite that we do not support.
<strong>17 BR_ERR_BAD_COMPRESSION</strong>
Server wants to use a compression method that we did not
advertise.
<strong>18 BR_ERR_BAD_FRAGLEN</strong>
Server's max fragment length does not match client's.
<strong>19 BR_ERR_BAD_SECRENEG</strong>
Secure renegotiation failed.
<strong>20 BR_ERR_EXTRA_EXTENSION</strong>
Server sent an extension type that we did not announce, or
used the same extension type more than once in ServerHello.
<strong>21 BR_ERR_BAD_SNI</strong>
Invalid Server Name Indication contents (when used by the
server, this extension shall be empty).
<strong>22 BR_ERR_BAD_HELLO_DONE</strong>
Invalid ServerHelloDone from the server (length is not 0).
<strong>23 BR_ERR_LIMIT_EXCEEDED</strong>
Internal limit exceeded (e.g. server's public key is too
large).
<strong>24 BR_ERR_BAD_FINISHED</strong>
Finished message from peer does not match the expected value.
<strong>25 BR_ERR_RESUME_MISMATCH</strong>
Session resumption attempted with a different version or
cipher suite.
<strong>26 BR_ERR_INVALID_ALGORITHM</strong>
Unsupported or invalid algorithm (ECDHE curve, signature
algorithm, hash function).
<strong>27 BR_ERR_BAD_SIGNATURE</strong>
Invalid signature on ServerKeyExchange or CertificateVerify.
<strong>28 BR_ERR_WRONG_KEY_USAGE</strong>
Peer's public key does not have the proper type or is not
allowed for the requested operation.
<strong>29 BR_ERR_NO_CLIENT_AUTH</strong>
Client did not send a certificate upon request, or the client
certificate could not be validated.
<strong>31 BR_ERR_IO</strong>
I/O error or premature close on the underlying transport.
<strong>X.509 CERTIFICATE ERRORS</strong>
<strong>32 BR_ERR_X509_OK</strong>
X.509 validation was successful (not an error).
<strong>33 BR_ERR_X509_INVALID_VALUE</strong>
Invalid value in an ASN.1 structure.
<strong>34 BR_ERR_X509_TRUNCATED</strong>
Truncated certificate.
<strong>35 BR_ERR_X509_EMPTY_CHAIN</strong>
Empty certificate chain (no certificate at all).
<strong>36 BR_ERR_X509_INNER_TRUNC</strong>
Inner element extends beyond outer element size.
<strong>37 BR_ERR_X509_BAD_TAG_CLASS</strong>
Unsupported tag class (application or private).
<strong>38 BR_ERR_X509_BAD_TAG_VALUE</strong>
Unsupported tag value.
<strong>39 BR_ERR_X509_INDEFINITE_LENGTH</strong>
Indefinite length encoding found.
<strong>40 BR_ERR_X509_EXTRA_ELEMENT</strong>
Extraneous element in certificate.
<strong>41 BR_ERR_X509_UNEXPECTED</strong>
Unexpected element in certificate.
<strong>42 BR_ERR_X509_NOT_CONSTRUCTED</strong>
Expected constructed element, but found primitive.
<strong>43 BR_ERR_X509_NOT_PRIMITIVE</strong>
Expected primitive element, but found constructed.
<strong>44 BR_ERR_X509_PARTIAL_BYTE</strong>
BIT STRING length is not a multiple of 8.
<strong>45 BR_ERR_X509_BAD_BOOLEAN</strong>
BOOLEAN value has invalid length.
<strong>46 BR_ERR_X509_OVERFLOW</strong>
Value is off-limits (overflow).
<strong>47 BR_ERR_X509_BAD_DN</strong>
Invalid distinguished name.
<strong>48 BR_ERR_X509_BAD_TIME</strong>
Invalid date/time representation in certificate.
<strong>49 BR_ERR_X509_UNSUPPORTED</strong>
Certificate contains unsupported features that cannot be
ignored.
<strong>50 BR_ERR_X509_LIMIT_EXCEEDED</strong>
Key or signature size exceeds internal limits.
<strong>51 BR_ERR_X509_WRONG_KEY_TYPE</strong>
Key type does not match that which was expected.
<strong>52 BR_ERR_X509_BAD_SIGNATURE</strong>
Signature is invalid.
<strong>53 BR_ERR_X509_TIME_UNKNOWN</strong>
Validation time is unknown (no time was set).
<strong>54 BR_ERR_X509_EXPIRED</strong>
Certificate is expired or not yet valid.
<strong>55 BR_ERR_X509_DN_MISMATCH</strong>
Issuer/subject DN mismatch in the chain.
<strong>56 BR_ERR_X509_BAD_SERVER_NAME</strong>
Expected server name was not found in the chain.
<strong>57 BR_ERR_X509_CRITICAL_EXTENSION</strong>
Unknown critical extension in certificate.
<strong>58 BR_ERR_X509_NOT_CA</strong>
Not a CA, or path length constraint violation.
<strong>59 BR_ERR_X509_FORBIDDEN_KEY_USAGE</strong>
Key Usage extension prohibits the intended usage.
<strong>60 BR_ERR_X509_WEAK_PUBLIC_KEY</strong>
Public key found in certificate is too small.
<strong>62 BR_ERR_X509_NOT_TRUSTED</strong>
Chain could not be linked to a trust anchor.
<strong>FATAL ALERTS</strong>
When a fatal alert is received from the peer, the error code
is 256 + the TLS alert value. When a fatal alert is sent to
the peer, the error code is 512 + the TLS alert value.
Common alert values:
0 close_notify
10 unexpected_message
20 bad_record_mac
40 handshake_failure
42 bad_certificate
43 unsupported_certificate
44 certificate_revoked
45 certificate_expired
46 certificate_unknown
47 illegal_parameter
48 unknown_ca
50 decode_error
51 decrypt_error
70 protocol_version
71 insufficient_security
80 internal_error
86 unrecognized_name
112 no_application_protocol
For example, error 296 means a handshake_failure alert was
received (256 + 40 = 296).
<strong>SEE ALSO</strong>
fetch(1), syscalls(2)</code></pre>
<hr>
<div class="center">
<a href="../index.html">Back to Documentation Index</a>
</div>
</div>
</body>
</html>