From 6c14129b16b4c9f96b916ea4e1178d424d6ca39f Mon Sep 17 00:00:00 2001 From: Kareem Date: Mon, 11 May 2026 15:26:57 -0700 Subject: [PATCH] Send correct alert type when server requests certificate and client has none set. Thanks to Cal Page for the report. --- src/tls13.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/tls13.c b/src/tls13.c index c07f9b0803..658b742f5e 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -6156,7 +6156,10 @@ static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input, ssl->options.sendVerify = SEND_BLANK_CERT; #else WOLFSSL_MSG("Certificate required but none set on client"); - SendAlert(ssl, alert_fatal, illegal_parameter); + /* RFC 8446 Section 4.4.2.4: send certificate_required when a + * peer (here, the client) cannot provide a certificate that the + * other peer required. */ + SendAlert(ssl, alert_fatal, certificate_required); WOLFSSL_ERROR_VERBOSE(NO_CERT_ERROR); return NO_CERT_ERROR; #endif