4. Error Alerts

The TLS Alert Protocol is used to signal error conditions during the TLS handshake and during protected data transfer. The alert messages are specified in [TLS1.0], [TLS1.1], and [TLS1.2].

If a client or server receives an authorization information handshake message that it does not recognize, then it MUST send an unsupported_certificate alert.

If a client or server receives malformed authorization information, then it SHOULD send a decode_error alert.

If a client or server receives an authorization information handshake message that contains invalid authorization information, then it SHOULD send a bad_certificate alert.

If a client or server receives an authorization information handshake message, but it is unable to validate the authorization information successfully, then it SHOULD send a certificate_unknown alert.

If a client or server receives an authorization information handshake message, but it is unable to obtain the referenced authorization information (in the case of x509_attr_cert_url or saml_assertion_url), then it SHOULD send a certificate_unobtainable alert.

If a server needs authorization information from a client, but the client does not provide it, then the server SHOULD send a certificate_required alert.

If a client or server has access control policies that cannot be satisfied by the authorization information that is received, then the client or server MAY send an access_denied alert.