miTLS server responds to bad_certificate alert with encrypted alert of decryption_failed_RESERVED

[oweisse-msft]

See also https://github.com/mitls/mitls-fstar/issues/176.

Is decryption_failed_RESERVED the right response to another alert?

[beurdouche]

Not if you are using TLS 1.3.

[s-zanella]

This is another case where the server expects an encrypted message but gets a plaintext alert. A decryption_failed_RESERVED alert must never be sent in TLS 1.3 (we could send decrypt_error instead), but really the server should parse and respond to plaintext alerts before receiving the client's Finished message.

[BarryBo]

Can you follow up on this, to make sure it is addressed during verification? If it is truly a bug in the TLS 1.3 codepath.