diff options
author | Ingela Anderton Andin <[email protected]> | 2017-08-10 17:05:42 +0200 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2017-08-14 10:59:55 +0200 |
commit | 6bd79e8f543da4777ba872a0edeaae8a9a90d5a8 (patch) | |
tree | 1262f7f23b91637e0f4c69eaf5a5680044925621 /lib/ssl/src/ssl_alert.hrl | |
parent | 6b293df5e86e85b255d3ccf55f83bd847867679f (diff) | |
download | otp-6bd79e8f543da4777ba872a0edeaae8a9a90d5a8.tar.gz otp-6bd79e8f543da4777ba872a0edeaae8a9a90d5a8.tar.bz2 otp-6bd79e8f543da4777ba872a0edeaae8a9a90d5a8.zip |
dtls: Customize alert handling for DTLS over UDP
From RFC 6347:
4.1.2.7. Handling Invalid Records
Unlike TLS, DTLS is resilient in the face of invalid records (e.g.,
invalid formatting, length, MAC, etc.). In general, invalid
records SHOULD be silently discarded, thus preserving the
association; however, an error MAY be logged for diagnostic
purposes. Implementations which choose to generate an alert
instead, MUST generate fatal level alerts to avoid attacks where
the attacker repeatedly probes the implementation to see how it
responds to various types of error. Note that if DTLS is run over
UDP, then any implementation which does this will be extremely
susceptible to denial-of-service (DoS) attacks because UDP forgery
is so easy. Thus, this practice is NOT RECOMMENDED for such
transports.
Diffstat (limited to 'lib/ssl/src/ssl_alert.hrl')
-rw-r--r-- | lib/ssl/src/ssl_alert.hrl | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/ssl/src/ssl_alert.hrl b/lib/ssl/src/ssl_alert.hrl index 1aabb6c55a..35670edea5 100644 --- a/lib/ssl/src/ssl_alert.hrl +++ b/lib/ssl/src/ssl_alert.hrl @@ -40,7 +40,7 @@ %% close_notify(0), %% unexpected_message(10), %% bad_record_mac(20), -%% decryption_failed(21), +%% decryption_failed_reserved(21), %% record_overflow(22), %% decompression_failure(30), %% handshake_failure(40), @@ -78,7 +78,7 @@ -define(CLOSE_NOTIFY, 0). -define(UNEXPECTED_MESSAGE, 10). -define(BAD_RECORD_MAC, 20). --define(DECRYPTION_FAILED, 21). +-define(DECRYPTION_FAILED_RESERVED, 21). -define(RECORD_OVERFLOW, 22). -define(DECOMPRESSION_FAILURE, 30). -define(HANDSHAKE_FAILURE, 40). |