ocaml-tls icon indicating copy to clipboard operation
ocaml-tls copied to clipboard
verified publisher icon mirleft

put CERTIFICATE_UNKNOWN back

Open copy opened this issue 6 months ago • 2 comments

This alert is sent by chromium on self-signed certificates, so it probably makes sense to have a useful error message, as opposed to "TLS alert from peer: unknown 46"

copy avatar Jun 18 '25 16:06 copy

I'm undecided. I agree that this is a more useful error message. At the same time, my reasoning in 52ee03e14782e9b086b0b03fb42c02aa12e310d7 was to reduce the binary size of the tls library - and only provide these constructors that we actually use.

Now, where should we draw the line? There are likely more alerts being used by other TLS implementations. Adding all the alerts (e.g. all from the TLS 1.3 spec) would mean to add:

          unsupported_certificate(43),
          certificate_revoked(44),
          certificate_expired(45),
          illegal_parameter(47),
          unknown_ca(48),
          access_denied(49),
          decrypt_error(51),
          insufficient_security(71),
          internal_error(80),
          bad_certificate_status_response(113),
          unknown_psk_identity(115),
          certificate_required(116),

and not only these constructors and integer values, but as well something printable (a string).

As said, I'm undecided about that. We can of course do this case-by-case -- and now add the certificate_unknown, and when someone else comes along, add their favourite observed alert.

hannesm avatar Jun 19 '25 06:06 hannesm

As said, I'm undecided about that. We can of course do this case-by-case -- and now add the certificate_unknown, and when someone else comes along, add their favourite observed alert.

That sounds reasonable to me.

copy avatar Jun 19 '25 12:06 copy

thanks. sorry for the delay. I cut a release, 2.0.2, including your PR.

hannesm avatar Aug 22 '25 08:08 hannesm