aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src/ssl_alert.hrl
diff options
context:
space:
mode:
authorIngela Anderton Andin <[email protected]>2017-08-10 17:05:42 +0200
committerIngela Anderton Andin <[email protected]>2017-08-14 10:59:55 +0200
commit6bd79e8f543da4777ba872a0edeaae8a9a90d5a8 (patch)
tree1262f7f23b91637e0f4c69eaf5a5680044925621 /lib/ssl/src/ssl_alert.hrl
parent6b293df5e86e85b255d3ccf55f83bd847867679f (diff)
downloadotp-6bd79e8f543da4777ba872a0edeaae8a9a90d5a8.tar.gz
otp-6bd79e8f543da4777ba872a0edeaae8a9a90d5a8.tar.bz2
otp-6bd79e8f543da4777ba872a0edeaae8a9a90d5a8.zip
dtls: Customize alert handling for DTLS over UDP
From RFC 6347: 4.1.2.7. Handling Invalid Records Unlike TLS, DTLS is resilient in the face of invalid records (e.g., invalid formatting, length, MAC, etc.). In general, invalid records SHOULD be silently discarded, thus preserving the association; however, an error MAY be logged for diagnostic purposes. Implementations which choose to generate an alert instead, MUST generate fatal level alerts to avoid attacks where the attacker repeatedly probes the implementation to see how it responds to various types of error. Note that if DTLS is run over UDP, then any implementation which does this will be extremely susceptible to denial-of-service (DoS) attacks because UDP forgery is so easy. Thus, this practice is NOT RECOMMENDED for such transports.
Diffstat (limited to 'lib/ssl/src/ssl_alert.hrl')
-rw-r--r--lib/ssl/src/ssl_alert.hrl4
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/ssl/src/ssl_alert.hrl b/lib/ssl/src/ssl_alert.hrl
index 1aabb6c55a..35670edea5 100644
--- a/lib/ssl/src/ssl_alert.hrl
+++ b/lib/ssl/src/ssl_alert.hrl
@@ -40,7 +40,7 @@
%% close_notify(0),
%% unexpected_message(10),
%% bad_record_mac(20),
-%% decryption_failed(21),
+%% decryption_failed_reserved(21),
%% record_overflow(22),
%% decompression_failure(30),
%% handshake_failure(40),
@@ -78,7 +78,7 @@
-define(CLOSE_NOTIFY, 0).
-define(UNEXPECTED_MESSAGE, 10).
-define(BAD_RECORD_MAC, 20).
--define(DECRYPTION_FAILED, 21).
+-define(DECRYPTION_FAILED_RESERVED, 21).
-define(RECORD_OVERFLOW, 22).
-define(DECOMPRESSION_FAILURE, 30).
-define(HANDSHAKE_FAILURE, 40).