<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>GTlsConnection: GIO Reference Manual</title>

<meta name="generator" content="DocBook XSL Stylesheets Vsnapshot">

<link rel="home" href="index.html" title="GIO Reference Manual">

<link rel="up" href="tls.html" title="TLS (SSL) support">

<link rel="prev" href="GTlsCertificate.html" title="GTlsCertificate">

<link rel="next" href="GTlsClientConnection.html" title="GTlsClientConnection">

<meta name="generator" content="GTK-Doc V1.27 (XML mode)">

<link rel="stylesheet" href="style.css" type="text/css">

</head>

<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

Top  | 

                  Description  | 

                  Object Hierarchy  | 

                  Known Derived Interfaces  | 

                  Properties  | 

                  Signals

GTlsConnection

GTlsConnection — TLS connection type

Functions

void

g_tls_connection_set_certificate ()

GTlsCertificate *

g_tls_connection_get_certificate ()

GTlsCertificate *

g_tls_connection_get_peer_certificate ()

GTlsCertificateFlags

g_tls_connection_get_peer_certificate_errors ()

void

g_tls_connection_set_require_close_notify ()

gboolean

g_tls_connection_get_require_close_notify ()

void

g_tls_connection_set_rehandshake_mode ()

GTlsRehandshakeMode

g_tls_connection_get_rehandshake_mode ()

void

g_tls_connection_set_use_system_certdb ()

gboolean

g_tls_connection_get_use_system_certdb ()

GTlsDatabase *

g_tls_connection_get_database ()

void

g_tls_connection_set_database ()

GTlsInteraction *

g_tls_connection_get_interaction ()

void

g_tls_connection_set_interaction ()

gboolean

g_tls_connection_handshake ()

void

g_tls_connection_handshake_async ()

gboolean

g_tls_connection_handshake_finish ()

gboolean

g_tls_connection_emit_accept_certificate ()

Properties

GIOStream *

base-io-stream

Read / Write / Construct Only

GTlsCertificate *

certificate

Read / Write

GTlsDatabase *

database

Read / Write

GTlsInteraction *

interaction

Read / Write

GTlsCertificate *

peer-certificate

Read

GTlsCertificateFlags

peer-certificate-errors

Read

GTlsRehandshakeMode

rehandshake-mode

Read / Write / Construct

gboolean

require-close-notify

Read / Write / Construct

gboolean

use-system-certdb

Read / Write / Construct

Signals

gboolean

accept-certificate

Run Last

Types and Values

GTlsConnection

enum

GTlsRehandshakeMode

Object Hierarchy

    GObject

    ╰── GIOStream

        ╰── GTlsConnection

Known Derived Interfaces

GTlsConnection is required by

 GTlsClientConnection and  GTlsServerConnection.

Includes

#include <gio/gio.h>

Description

GTlsConnection is the base TLS connection class type, which wraps

a GIOStream and provides TLS encryption on top of it. Its

subclasses, GTlsClientConnection and GTlsServerConnection,

implement client-side and server-side TLS, respectively.

For DTLS (Datagram TLS) support, see GDtlsConnection.

Functions

g_tls_connection_set_certificate ()

void

g_tls_connection_set_certificate (GTlsConnection *conn,

                                  GTlsCertificate *certificate);

This sets the certificate that conn

 will present to its peer

during the TLS handshake. For a GTlsServerConnection, it is

mandatory to set this, and that will normally be done at construct

time.

For a GTlsClientConnection, this is optional. If a handshake fails

with G_TLS_ERROR_CERTIFICATE_REQUIRED, that means that the server

requires a certificate, and if you try connecting again, you should

call this method first. You can call

g_tls_client_connection_get_accepted_cas() on the failed connection

to get a list of Certificate Authorities that the server will

accept certificates from.

(It is also possible that a server will allow the connection with

or without a certificate; in that case, if you don't provide a

certificate, you can tell that the server requested one by the fact

that g_tls_client_connection_get_accepted_cas() will return

non-NULL.)

Parameters

conn

a GTlsConnection

certificate

the certificate to use for conn

Since: 2.28

g_tls_connection_get_certificate ()

GTlsCertificate *

g_tls_connection_get_certificate (GTlsConnection *conn);

Gets conn

's certificate, as set by

g_tls_connection_set_certificate().

Parameters

conn

a GTlsConnection

Returns

conn

's certificate, or NULL. 

[transfer none]

Since: 2.28

g_tls_connection_get_peer_certificate ()

GTlsCertificate *

g_tls_connection_get_peer_certificate (GTlsConnection *conn);

Gets conn

's peer's certificate after the handshake has completed.

(It is not set during the emission of

“accept-certificate”.)

Parameters

conn

a GTlsConnection

Returns

conn

's peer's certificate, or NULL. 

[transfer none]

Since: 2.28

g_tls_connection_get_peer_certificate_errors ()

GTlsCertificateFlags

g_tls_connection_get_peer_certificate_errors

                               (GTlsConnection *conn);

Gets the errors associated with validating conn

's peer's

certificate, after the handshake has completed. (It is not set

during the emission of “accept-certificate”.)

Parameters

conn

a GTlsConnection

Returns

 conn

's peer's certificate errors

Since: 2.28

g_tls_connection_set_require_close_notify ()

void

g_tls_connection_set_require_close_notify

                               (GTlsConnection *conn,

                                gboolean require_close_notify);

Sets whether or not conn

 expects a proper TLS close notification

before the connection is closed. If this is TRUE (the default),

then conn

 will expect to receive a TLS close notification from its

peer before the connection is closed, and will return a

G_TLS_ERROR_EOF error if the connection is closed without proper

notification (since this may indicate a network error, or

man-in-the-middle attack).

In some protocols, the application will know whether or not the

connection was closed cleanly based on application-level data

(because the application-level data includes a length field, or is

somehow self-delimiting); in this case, the close notify is

redundant and sometimes omitted. (TLS 1.1 explicitly allows this;

in TLS 1.0 it is technically an error, but often done anyway.) You

can use g_tls_connection_set_require_close_notify() to tell conn

to allow an "unannounced" connection close, in which case the close

will show up as a 0-length read, as in a non-TLS

GSocketConnection, and it is up to the application to check that

the data has been fully received.

Note that this only affects the behavior when the peer closes the

connection; when the application calls g_io_stream_close() itself

on conn

, this will send a close notification regardless of the

setting of this property. If you explicitly want to do an unclean

close, you can close conn

's “base-io-stream” rather

than closing conn

 itself, but note that this may only be done when no other

operations are pending on conn

 or the base I/O stream.

Parameters

conn

a GTlsConnection

require_close_notify

whether or not to require close notification

Since: 2.28

g_tls_connection_get_require_close_notify ()

gboolean

g_tls_connection_get_require_close_notify

                               (GTlsConnection *conn);

Tests whether or not conn

 expects a proper TLS close notification

when the connection is closed. See

g_tls_connection_set_require_close_notify() for details.

Parameters

conn

a GTlsConnection

Returns

 TRUE if conn

requires a proper TLS close

notification.

Since: 2.28

g_tls_connection_set_rehandshake_mode ()

void

g_tls_connection_set_rehandshake_mode (GTlsConnection *conn,

                                       GTlsRehandshakeMode mode);

Sets how conn

 behaves with respect to rehandshaking requests.

G_TLS_REHANDSHAKE_NEVER means that it will never agree to

rehandshake after the initial handshake is complete. (For a client,

this means it will refuse rehandshake requests from the server, and

for a server, this means it will close the connection with an error

if the client attempts to rehandshake.)

G_TLS_REHANDSHAKE_SAFELY means that the connection will allow a

rehandshake only if the other end of the connection supports the

TLS renegotiation_info extension. This is the default behavior,

but means that rehandshaking will not work against older

implementations that do not support that extension.

G_TLS_REHANDSHAKE_UNSAFELY means that the connection will allow

rehandshaking even without the renegotiation_info extension. On

the server side in particular, this is not recommended, since it

leaves the server open to certain attacks. However, this mode is

necessary if you need to allow renegotiation with older client

software.

Parameters

conn

a GTlsConnection

mode

the rehandshaking mode

Since: 2.28

g_tls_connection_get_rehandshake_mode ()

GTlsRehandshakeMode

g_tls_connection_get_rehandshake_mode (GTlsConnection *conn);

Gets conn

 rehandshaking mode. See

g_tls_connection_set_rehandshake_mode() for details.

Parameters

conn

a GTlsConnection

Returns

 conn

's rehandshaking mode

Since: 2.28

g_tls_connection_set_use_system_certdb ()

void

g_tls_connection_set_use_system_certdb

                               (GTlsConnection *conn,

                                gboolean use_system_certdb);

g_tls_connection_set_use_system_certdb has been deprecated since version 2.30 and should not be used in newly-written code.

Use g_tls_connection_set_database() instead

Sets whether conn

 uses the system certificate database to verify

peer certificates. This is TRUE by default. If set to FALSE, then

peer certificate validation will always set the

G_TLS_CERTIFICATE_UNKNOWN_CA error (meaning

“accept-certificate” will always be emitted on

client-side connections, unless that bit is not set in

“validation-flags”).

Parameters

conn

a GTlsConnection

use_system_certdb

whether to use the system certificate database

g_tls_connection_get_use_system_certdb ()

gboolean

g_tls_connection_get_use_system_certdb

                               (GTlsConnection *conn);

g_tls_connection_get_use_system_certdb has been deprecated since version 2.30 and should not be used in newly-written code.

Use g_tls_connection_get_database() instead

Gets whether conn

 uses the system certificate database to verify

peer certificates. See g_tls_connection_set_use_system_certdb().

Parameters

conn

a GTlsConnection

Returns

 whether conn

uses the system certificate database

g_tls_connection_get_database ()

GTlsDatabase *

g_tls_connection_get_database (GTlsConnection *conn);

Gets the certificate database that conn

 uses to verify

peer certificates. See g_tls_connection_set_database().

Parameters

conn

a GTlsConnection

Returns

the certificate database that conn

uses or NULL. 

[transfer none]

Since: 2.30

g_tls_connection_set_database ()

void

g_tls_connection_set_database (GTlsConnection *conn,

                               GTlsDatabase *database);

Sets the certificate database that is used to verify peer certificates.

This is set to the default database by default. See

g_tls_backend_get_default_database(). If set to NULL, then

peer certificate validation will always set the

G_TLS_CERTIFICATE_UNKNOWN_CA error (meaning

“accept-certificate” will always be emitted on

client-side connections, unless that bit is not set in

“validation-flags”).

Parameters

conn

a GTlsConnection

database

a GTlsDatabase

Since: 2.30

g_tls_connection_get_interaction ()

GTlsInteraction *

g_tls_connection_get_interaction (GTlsConnection *conn);

Get the object that will be used to interact with the user. It will be used

for things like prompting the user for passwords. If NULL is returned, then

no user interaction will occur for this connection.

Parameters

conn

a connection