The alert here should be BAD_CERTIFICATE instead of DECRYPT_ERROR.

Sorry for not being able to provide a pr because of the secuirty policy of my campany.

Thanks for reporting.

RFC5246

bad_certificate
A certificate was corrupt, contained signatures that did not
verify correctly, etc.

and

decrypt_error
A handshake cryptographic operation failed, including being unable
to correctly verify a signature or validate a Finished message.
This message is always fatal.

FMPOV, the causing GeneralSecurityException is unspecific, so it's not easy to decide, which one matches better.
Without the actual cause and/or the invalid message, it's hard to improve the code without violate other cases.
Anyway, I have no real strong opinion on that. Do you have additional infos as the exception message or a hint, what's wrong on the certificate messageß

@boaks But it's not consistent with other implentation of org.eclipse.leshan.client.californium.BaseCertificateVerifier#verifyCertificate.
ServiceCertificateConstraintCertificateVerifier/CaConstraintCertificateVerifier/ServiceCertificateConstraintCertificateVerifier all used BAD_CERTIFICATE. Certificate message is not encrypted, and the only possbility of GeneralSecurityException in code try-catch handles is CertPathUtil.validateCertificatePathWithIssuer so maybe bad_certificate is more appropriate.

org.eclipse.leshan

leshan != californium

Are you faced such exceptions? If so, what's the exception message?
Or is this a question in advance, in order to have the same behavior for the leshan verifier and the californium one?

Please check, if PR #2133 works for you.

@boaks Sorry for the delay, I confirmed that the exception I faced is java.security.cert.CertPathValidatorException: Trust anchor for certification path not found (I misconfigured trust ca). So your pr perfectly solved my problem.

I added a check for expired certificates and use CERTIFICATE_EXPIRED for that.
Does this still fit your needs?

@boaks That's better, that makes identifying tls failure much easier.