Alerts¶

Alert Protocol as defined in RFC 8446 Section 6.

class siotls.contents.alerts.Alert¶

Abstract base class and registry for siotls.iana.AlertDescription.

can_fragment: bool = False¶: Can this content be fragmented over multiple TLS records?

content_type: ContentType = 21¶: The unique numeric identifier of the content.

description: AlertDescription | int¶: The unique numeric identifier of the alert.

level: AlertLevel¶: The severity of the alert. FATAL signals that both ends of the connection MUST be closed immediatly. WARNING signals a graceful close.

exception siotls.contents.alerts.AccessDenied¶: A valid certificate or PSK was received, but when access control was applied, the sender decided not to proceed with negotiation.

exception siotls.contents.alerts.BadCertificate¶: A certificate was corrupt, contained signatures that did not verify correctly, etc.

exception siotls.contents.alerts.BadCertificateStatusResponse¶: Sent by clients when an invalid or unacceptable OCSP response is provided by the server via the “status_request” extension (see RFC6066).

exception siotls.contents.alerts.BadRecordMac¶: This alert is returned if a record is received which cannot be deprotected. Because AEAD algorithms combine decryption and verification, and also to avoid side-channel attacks, this alert is used for all deprotection failures. This alert should never be observed in communication between proper implementations, except when messages were corrupted in the network.

exception siotls.contents.alerts.CertificateExpired¶: A certificate has expired or is not currently valid.

exception siotls.contents.alerts.CertificateRequired¶: Sent by servers when a client certificate is desired but none was provided by the client.

exception siotls.contents.alerts.CertificateRevoked¶: A certificate was revoked by its signer.

exception siotls.contents.alerts.CertificateUnknown¶: Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable.

class siotls.contents.alerts.CloseNotify¶: This alert notifies the recipient that the sender will not send any more messages on this connection. Any data received after a closure alert has been received MUST be ignored.

exception siotls.contents.alerts.DecodeError¶

A message could not be decoded because some field was out of the specified range or the length of the message was incorrect. This alert is used for errors where the message does not conform to the formal protocol syntax. This alert should never be observed in communication between proper implementations, except when messages were corrupted in the network.

Closely related to TLSBufferError.

exception siotls.contents.alerts.DecryptError¶: A handshake (not record layer) cryptographic operation failed, including being unable to correctly verify a signature or validate a Finished message or a PSK binder.

exception siotls.contents.alerts.HandshakeFailure¶: Receipt of a “handshake_failure” alert message indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available.

exception siotls.contents.alerts.IllegalParameter¶: A field in the handshake was incorrect or inconsistent with other fields. This alert is used for errors which conform to the formal protocol syntax but are otherwise incorrect.

exception siotls.contents.alerts.InappropriateFallback¶: Sent by a server in response to an invalid connection retry attempt from a client (see RFC7507).

exception siotls.contents.alerts.InsufficientSecurity¶: Returned instead of “handshake_failure” when a negotiation has failed specifically because the server requires parameters more secure than those supported by the client.

exception siotls.contents.alerts.InternalError¶: An internal error unrelated to the peer or the correctness of the protocol (such as a memory allocation failure) makes it impossible to continue.

exception siotls.contents.alerts.MissingExtension¶: Sent by endpoints that receive a handshake message not containing an extension that is mandatory to send for the offered TLS version or other negotiated parameters.

exception siotls.contents.alerts.NoApplicationProtocol¶: Sent by servers when a client “application_layer_protocol_negotiation” extension advertises only protocols that the server does not support (see RFC7301).

exception siotls.contents.alerts.ProtocolVersion¶: The protocol version the peer has attempted to negotiate is recognized but not supported (see RFC8446 Appendix D)

exception siotls.contents.alerts.RecordOverflow¶: A TLSCiphertext record was received that had a length more than 2^14 + 256 bytes, or a record decrypted to a TLSPlaintext record with more than 2^14 bytes (or some other negotiated limit). This alert should never be observed in communication between proper implementations, except when messages were corrupted in the network.

exception siotls.contents.alerts.UnexpectedMessage¶: An inappropriate message (e.g., the wrong handshake message, premature Application Data, etc.) was received. This alert should never be observed in communication between proper implementations.

exception siotls.contents.alerts.UnknownCa¶: A valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known trust anchor.

exception siotls.contents.alerts.UnknownPskIdentity¶: Sent by servers when PSK key establishment is desired but no acceptable PSK identity is provided by the client. Sending this alert is OPTIONAL; servers MAY instead choose to send a “decrypt_error” alert to merely indicate an invalid PSK identity.

exception siotls.contents.alerts.UnrecognizedName¶: Sent by servers when no server exists identified by the name provided by the client via the “server_name” extension (see RFC6066).

exception siotls.contents.alerts.UnsupportedCertificate¶: A certificate was of an unsupported type.

exception siotls.contents.alerts.UnsupportedExtension¶: Sent by endpoints receiving any handshake message containing an extension known to be prohibited for inclusion in the given handshake message, or including any extensions in a ServerHello or Certificate not first offered in the corresponding ClientHello or CertificateRequest.

class siotls.contents.alerts.UserCanceled¶: This alert notifies the recipient that the sender is canceling the handshake for some reason unrelated to a protocol failure. If a user cancels an operation after the handshake is complete, just closing the connection by sending a “close_notify” is more appropriate. This alert SHOULD be followed by a “close_notify”. This alert generally has AlertLevel=warning.