Top |
Functions
Properties
gpointer | accepted-cas | Read |
GSocketConnectable * | server-identity | Read / Write / Construct |
gboolean | use-ssl3 | Read / Write / Construct |
GTlsCertificateFlags | validation-flags | Read / Write / Construct |
Description
GTlsClientConnection is the client-side subclass of GTlsConnection, representing a client-side TLS connection.
Functions
g_tls_client_connection_new ()
GIOStream * g_tls_client_connection_new (GIOStream *base_io_stream
,GSocketConnectable *server_identity
,GError **error
);
Creates a new GTlsClientConnection wrapping base_io_stream
(which
must have pollable input and output streams) which is assumed to
communicate with the server identified by server_identity
.
See the documentation for “base-io-stream” for restrictions
on when application code can run operations on the base_io_stream
after
this function has returned.
Since: 2.28
g_tls_client_connection_set_server_identity ()
void g_tls_client_connection_set_server_identity (GTlsClientConnection *conn
,GSocketConnectable *identity
);
Sets conn
's expected server identity, which is used both to tell
servers on virtual hosts which certificate to present, and also
to let conn
know what name to look for in the certificate when
performing G_TLS_CERTIFICATE_BAD_IDENTITY
validation, if enabled.
Since: 2.28
g_tls_client_connection_get_server_identity ()
GSocketConnectable *
g_tls_client_connection_get_server_identity
(GTlsClientConnection *conn
);
Gets conn
's expected server identity
Returns
a GSocketConnectable describing the
expected server identity, or NULL
if the expected identity is not
known.
[transfer none]
Since: 2.28
g_tls_client_connection_set_validation_flags ()
void g_tls_client_connection_set_validation_flags (GTlsClientConnection *conn
,GTlsCertificateFlags flags
);
Sets conn
's validation flags, to override the default set of
checks performed when validating a server certificate. By default,
G_TLS_CERTIFICATE_VALIDATE_ALL
is used.
Since: 2.28
g_tls_client_connection_get_validation_flags ()
GTlsCertificateFlags
g_tls_client_connection_get_validation_flags
(GTlsClientConnection *conn
);
Gets conn
's validation flags
Since: 2.28
g_tls_client_connection_set_use_ssl3 ()
void g_tls_client_connection_set_use_ssl3 (GTlsClientConnection *conn
,gboolean use_ssl3
);
g_tls_client_connection_set_use_ssl3
has been deprecated since version 2.56 and should not be used in newly-written code.
SSL 3.0 is insecure, and this function does not generally enable or disable it, despite its name.
If use_ssl3
is TRUE
, this forces conn
to use the lowest-supported
TLS protocol version rather than trying to properly negotiate the
highest mutually-supported protocol version with the peer. This can
be used when talking to broken TLS servers that exhibit protocol
version intolerance.
Be aware that SSL 3.0 is generally disabled by the GTlsBackend, so the lowest-supported protocol version is probably not SSL 3.0.
Since: 2.28
g_tls_client_connection_get_use_ssl3 ()
gboolean
g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn
);
g_tls_client_connection_get_use_ssl3
has been deprecated since version 2.56 and should not be used in newly-written code.
SSL 3.0 is insecure, and this function does not actually indicate whether it is enabled.
Gets whether conn
will force the lowest-supported TLS protocol
version rather than attempt to negotiate the highest mutually-
supported version of TLS; see g_tls_client_connection_set_use_ssl3()
.
Since: 2.28
g_tls_client_connection_get_accepted_cas ()
GList *
g_tls_client_connection_get_accepted_cas
(GTlsClientConnection *conn
);
Gets the list of distinguished names of the Certificate Authorities
that the server will accept certificates from. This will be set
during the TLS handshake if the server requests a certificate.
Otherwise, it will be NULL
.
Each item in the list is a GByteArray which contains the complete subject DN of the certificate authority.
Returns
the list of
CA DNs. You should unref each element with g_byte_array_unref()
and then
the free the list with g_list_free()
.
[element-type GByteArray][transfer full]
Since: 2.28
g_tls_client_connection_copy_session_state ()
void g_tls_client_connection_copy_session_state (GTlsClientConnection *conn
,GTlsClientConnection *source
);
Copies session state from one connection to another. This is
not normally needed, but may be used when the same session
needs to be used between different endpoints as is required
by some protocols such as FTP over TLS. source
should have
already completed a handshake, and conn
should not have
completed a handshake.
Since: 2.46
Types and Values
GTlsClientConnection
typedef struct _GTlsClientConnection GTlsClientConnection;
Abstract base class for the backend-specific client connection type.
Since: 2.28
struct GTlsClientConnectionInterface
struct GTlsClientConnectionInterface { GTypeInterface g_iface; void ( *copy_session_state ) (GTlsClientConnection *conn, GTlsClientConnection *source); };
vtable for a GTlsClientConnection implementation.
Since: 2.26
Property Details
The “accepted-cas”
property
“accepted-cas” gpointer
A list of the distinguished names of the Certificate Authorities that the server will accept client certificates signed by. If the server requests a client certificate during the handshake, then this property will be set after the handshake completes.
Each item in the list is a GByteArray which contains the complete subject DN of the certificate authority.
[element-type GLib.ByteArray]
Flags: Read
Since: 2.28
The “server-identity”
property
“server-identity” GSocketConnectable *
A GSocketConnectable describing the identity of the server that is expected on the other end of the connection.
If the G_TLS_CERTIFICATE_BAD_IDENTITY
flag is set in
“validation-flags”, this object will be used
to determine the expected identify of the remote end of the
connection; if “server-identity” is not set,
or does not match the identity presented by the server, then the
G_TLS_CERTIFICATE_BAD_IDENTITY
validation will fail.
In addition to its use in verifying the server certificate, this is also used to give a hint to the server about what certificate we expect, which is useful for servers that serve virtual hosts.
Flags: Read / Write / Construct
Since: 2.28
The “use-ssl3”
property
“use-ssl3” gboolean
If TRUE
, forces the connection to use a fallback version of TLS
or SSL, rather than trying to negotiate the best version of TLS
to use. This can be used when talking to servers that don't
implement version negotiation correctly and therefore refuse to
handshake at all with a modern TLS handshake.
Despite the property name, the fallback version is usually not SSL 3.0, because SSL 3.0 is generally disabled by the GTlsBackend. GTlsClientConnection will use the next-highest available version as the fallback version.
GTlsClientConnection:use-ssl3
has been deprecated since version 2.56 and should not be used in newly-written code.
SSL 3.0 is insecure, and this property does not generally enable or disable it, despite its name.
Flags: Read / Write / Construct
Default value: FALSE
Since: 2.28
The “validation-flags”
property
“validation-flags” GTlsCertificateFlags
What steps to perform when validating a certificate received from a server. Server certificates that fail to validate in all of the ways indicated here will be rejected unless the application overrides the default via “accept-certificate”.
Flags: Read / Write / Construct
Default value: G_TLS_CERTIFICATE_UNKNOWN_CA | G_TLS_CERTIFICATE_BAD_IDENTITY | G_TLS_CERTIFICATE_NOT_ACTIVATED | G_TLS_CERTIFICATE_EXPIRED | G_TLS_CERTIFICATE_REVOKED | G_TLS_CERTIFICATE_INSECURE | G_TLS_CERTIFICATE_GENERIC_ERROR
Since: 2.28