Send TLS alerts in many more cases The TLS client and server code was usually closing the connection in case of a fatal error without sending an alert. This commit adds alerts in many cases. Added one test case to detect that we send the alert, where a server complains that the client's certificate is from an unknown CA (case tracked internally as IOTSSL-1330).

commit: 1cc8e3472ab6d02ea17f99dc1b478ac9c3061cd2 [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Wed May 03 16:28:34 2017 +0200
committer: Gilles Peskine <Gilles.Peskine@arm.com> Wed May 03 16:28:34 2017 +0200
tree: 0da559b3ddc928c71afad7355a82d0d8eee3a2fe
parent: 071db41627758963a1cedbed923c5e2a51543985 [diff]
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 4f633fc..f7b43f6 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh

@@ -1840,8 +1840,12 @@
             -s "x509_verify_cert() returned" \
             -s "! The certificate is not correctly signed by the trusted CA" \
             -s "! mbedtls_ssl_handshake returned" \
+            -s "send alert level=2 message=48" \
             -c "! mbedtls_ssl_handshake returned" \
             -s "X509 - Certificate verification failed"
+# We don't check that the client receives the alert because it might
+# detect that its write end of the connection is closed and abort
+# before reading the alert message.
 
 run_test    "Authentication: client badcert, server optional" \
             "$P_SRV debug_level=3 auth_mode=optional" \
commit	1cc8e3472ab6d02ea17f99dc1b478ac9c3061cd2	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Wed May 03 16:28:34 2017 +0200
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Wed May 03 16:28:34 2017 +0200
tree	0da559b3ddc928c71afad7355a82d0d8eee3a2fe
parent	071db41627758963a1cedbed923c5e2a51543985 [diff]