NSS 错误码详细信息

Table 8.1 Error codes defined in sslerr.h

SSL_ERROR_EXPORT_ONLY_SERVER -12288
“Unable to communicate securely. Peer does not support high-grade encryption.”
The local system was configured to support the cipher suites permitted for domestic use. The remote system was configured to support only the cipher suites permitted for export use.

SSL_ERROR_US_ONLY_SERVER -12287 “Unable to communicate securely. Peer requires high-grade encryption which is not supported.”

The remote system was configured to support the cipher suites permitted for domestic use. The local system was configured to support only the cipher suites permitted for export use.

SSL_ERROR_NO_CYPHER_OVERLAP -12286 “Cannot communicate securely with peer: no common encryption algorithm(s).”

The local and remote systems share no cipher suites in common. This can be due to a misconfiguration at either end. It can be due to a server being misconfigured to use a non-RSA certificate with the RSA key exchange algorithm.

SSL_ERROR_NO_CERTIFICATE -12285 “Unable to find the certificate or key necessary for authentication.”

This error has many potential causes; for example:
Certificate or key not found in database.
Certificate not marked trusted in database and Certificate’s issuer not marked trusted in database.
Wrong password for key database.
Missing database.

SSL_ERROR_BAD_CERTIFICATE -12284 “Unable to communicate securely with peer: peers’s certificate was rejected.”

A certificate was received from the remote system and was passed to the certificate authentication callback function provided by the local application. That callback function returned SECFailure, and the bad certificate callback function either was not configured or did not choose to override the error code returned by the certificate authentication callback function.-12283 (unused)

SSL_ERROR_BAD_CLIENT -12282 “The server has encountered bad data from the client.”

This error code should occur only on sockets that are acting as servers. It is a generic error, used when none of the other more specific error codes defined in this file applies.

SSL_ERROR_BAD_SERVER -12281 “The client has encountered bad data from the server.”

This error code should occur only on sockets that are acting as clients. It is a generic error, used when none of the other more specific error codes defined in this file applies.

SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE -12280 “Unsupported certificate type.”

The operation encountered a certificate that was not one of the well known certificate types handled by the certificate library.

SSL_ERROR_UNSUPPORTED_VERSION -12279 “Peer using unsupported version of security protocol.”

On a client socket, this means the remote server has attempted to negotiate the use of a version of SSL that is not supported by the NSS library, probably an invalid version number. On a server socket, this means the remote client has requested the use of a version of SSL older than version 2.

-12278  (unused)

SSL_ERROR_WRONG_CERTIFICATE
-12277 “Client authentication failed: private key in key database does not correspond to public key in certificate database.”
SSL_ERROR_BAD_CERT_DOMAIN -12276 “Unable to communicate securely with peer: requested domain name does not match the server’s certificate.”

This error code should be returned by the certificate authentication callback function when it detects that the Common Name in the remote server’s certificate does not match the hostname sought by the local client, according to the matching rules specified for CERT_VerifyCertName.

SSL_ERROR_POST_WARNING
-12275 (unused)
SSL_ERROR_SSL2_DISABLED -12274 “Peer only supports SSL version 2, which is locally disabled.”

The remote server has asked to use SSL version 2, and SSL version 2 is disabled in the local client’s configuration.

SSL_ERROR_BAD_MAC_READ -12273 “SSL received a record with an incorrect Message Authentication Code.”

This usually indicates that the client and server have failed to come to agreement on the set of keys used to encrypt the application data and to check message integrity. If this occurs frequently on a server, an active attack (such as the “million question” attack) may be underway against the server.

SSL_ERROR_BAD_MAC_ALERT -12272 “SSL peer reports incorrect Message Authentication Code.”
The remote system has reported that it received a message with a bad Message Authentication Code from the local system. This may indicate that an attack on that server is underway.

SSL_ERROR_BAD_CERT_ALERT -12271 “SSL peer cannot verify your certificate.”

The remote system has received a certificate from the local system, and has rejected it for some reason.

SSL_ERROR_REVOKED_CERT_ALERT -12270 “SSL peer rejected your certificate as revoked.”

The remote system has received a certificate from the local system, and has determined that the certificate has been revoked.

SSL_ERROR_EXPIRED_CERT_ALERT -12269 “SSL peer rejected your certificate as expired.”

The remote system has received a certificate from the local system, and has determined that the certificate has expired.

SSL_ERROR_SSL_DISABLED -12268 “Cannot connect: SSL is disabled.”

The local socket is configured in such a way that it cannot use any of the SSL cipher suites. Possible causes include: (a) both SSL2 and SSL3 are disabled, (b) All the individual SSL cipher suites are disabled, or (c) the socket is configured to handshake as a server, but the certificate associated with that socket is inappropriate for the Key Exchange Algorithm selected.

SSL_ERROR_FORTEZZA_PQG -12267 “Cannot connect: SSL peer is in another FORTEZZA domain.”

The local system and the remote system are in different FORTEZZA domains. They must be in the same domain to communicate.

SSL_ERROR_UNKNOWN_CIPHER_SUITE -12266 “An unknown SSL cipher suite has been requested.”

The application has attempted to configure SSL to use an unknown cipher suite.

SSL_ERROR_NO_CIPHERS_SUPPORTED -12265 “No cipher suites are present and enabled in this program.”

Possible causes: (a) all cipher suites have been configured to be disabled, (b) the only cipher suites that are configured to be enabled are those that are disallowed by cipher export policy, (c) the socket is configured to handshake as a server, but the certificate associated with that socket is inappropriate for the Key Exchange Algorithm selected.

SSL_ERROR_BAD_BLOCK_PADDING -12264 “SSL received a record with bad block padding.”

SSL was using a Block cipher, and the last block in an SSL record had incorrect padding information in it. This usually indicates that the client and server have failed to come to agreement on the set of keys used to encrypt the application data and to check message integrity. If this occurs frequently on a server, an active attack (such as the “million question” attack) may be underw