daemon/tls: send fatal alert on handshake failure

If the TLS handshake process fatally fails (e.g. no matching cipher suite / cert), sent an alert to notify the peer.

daemon/tls: send fatal alert on handshake failure
If the TLS handshake process fatally fails (e.g. no matching cipher suite / cert), sent an alert to notify the peer.
66ea149a · Tomas Krizek · 6c98b011 · 66ea149a · 66ea149a
Verified Commit 66ea149a authored 4 years ago by Tomas Krizek
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@ Knot Resolver 5.x.y (2020-0m-dd)
 Bugfixes
 --------
 - hints module: NODATA answers also for non-address queries (!1005)
+- tls: send alert to peer if handshake fails (!1007)


 Knot Resolver 5.1.1 (2020-05-19)

--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -253,6 +253,8 @@ static int tls_handshake(struct tls_common_ctx *ctx, tls_handshake_cb handshake_
 		kr_log_verbose("[%s] gnutls_handshake failed: %s (%d)\n",
 			     logstring,
 		             gnutls_strerror_name(err), err);
+		/* Notify the peer about handshake failure via an alert. */
+		gnutls_alert_send_appropriate(ctx->tls_session, err);
 		if (handshake_cb) {
 			handshake_cb(session, -1);
 		}