GTlsClientConnection

GTlsClientConnection — TLS client-side connection

Functions

Properties

gpointer accepted-cas Read
GSocketConnectable * server-identity Read / Write / Construct
gboolean use-ssl3 Read / Write / Construct
GTlsCertificateFlags validation-flags Read / Write / Construct

Types and Values

Object Hierarchy

    GInterface
    ╰── GTlsClientConnection

Prerequisites

GTlsClientConnection requires GTlsConnection.

Includes

#include <gio/gio.h>

Description

GTlsClientConnection is the client-side subclass of GTlsConnection, representing a client-side TLS connection.

Functions

g_tls_client_connection_new ()

GIOStream *
g_tls_client_connection_new (GIOStream *base_io_stream,
                             GSocketConnectable *server_identity,
                             GError **error);

Creates a new GTlsClientConnection wrapping base_io_stream (which must have pollable input and output streams) which is assumed to communicate with the server identified by server_identity .

See the documentation for “base-io-stream” for restrictions on when application code can run operations on the base_io_stream after this function has returned.

Parameters

base_io_stream

the GIOStream to wrap

 

server_identity

the expected identity of the server.

[nullable]

error

GError for error reporting, or NULL to ignore.

 

Returns

the new GTlsClientConnection, or NULL on error.

[transfer full][type GTlsClientConnection]

Since: 2.28


g_tls_client_connection_set_server_identity ()

void
g_tls_client_connection_set_server_identity
                               (GTlsClientConnection *conn,
                                GSocketConnectable *identity);

Sets conn 's expected server identity, which is used both to tell servers on virtual hosts which certificate to present, and also to let conn know what name to look for in the certificate when performing G_TLS_CERTIFICATE_BAD_IDENTITY validation, if enabled.

Parameters

conn

the GTlsClientConnection

 

identity

a GSocketConnectable describing the expected server identity

 

Since: 2.28


g_tls_client_connection_get_server_identity ()

GSocketConnectable *
g_tls_client_connection_get_server_identity
                               (GTlsClientConnection *conn);

Gets conn 's expected server identity

Parameters

conn

the GTlsClientConnection

 

Returns

a GSocketConnectable describing the expected server identity, or NULL if the expected identity is not known.

[transfer none]

Since: 2.28


g_tls_client_connection_set_validation_flags ()

void
g_tls_client_connection_set_validation_flags
                               (GTlsClientConnection *conn,
                                GTlsCertificateFlags flags);

Sets conn 's validation flags, to override the default set of checks performed when validating a server certificate. By default, G_TLS_CERTIFICATE_VALIDATE_ALL is used.

Parameters

conn

the GTlsClientConnection

 

flags

the GTlsCertificateFlags to use

 

Since: 2.28


g_tls_client_connection_get_validation_flags ()

GTlsCertificateFlags
g_tls_client_connection_get_validation_flags
                               (GTlsClientConnection *conn);

Gets conn 's validation flags

Parameters

conn

the GTlsClientConnection

 

Returns

the validation flags

Since: 2.28


g_tls_client_connection_set_use_ssl3 ()

void
g_tls_client_connection_set_use_ssl3 (GTlsClientConnection *conn,
                                      gboolean use_ssl3);

If use_ssl3 is TRUE, this forces conn to use SSL 3.0 rather than trying to properly negotiate the right version of TLS or SSL to use. This can be used when talking to servers that do not implement the fallbacks correctly and which will therefore fail to handshake with a "modern" TLS handshake attempt.

Parameters

conn

the GTlsClientConnection

 

use_ssl3

whether to use SSL 3.0

 

Since: 2.28


g_tls_client_connection_get_use_ssl3 ()

gboolean
g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn);

Gets whether conn will use SSL 3.0 rather than the highest-supported version of TLS; see g_tls_client_connection_set_use_ssl3().

Parameters

conn

the GTlsClientConnection

 

Returns

whether conn will use SSL 3.0

Since: 2.28


g_tls_client_connection_get_accepted_cas ()

GList *
g_tls_client_connection_get_accepted_cas
                               (GTlsClientConnection *conn);

Gets the list of distinguished names of the Certificate Authorities that the server will accept certificates from. This will be set during the TLS handshake if the server requests a certificate. Otherwise, it will be NULL.

Each item in the list is a GByteArray which contains the complete subject DN of the certificate authority.

Parameters

conn

the GTlsClientConnection

 

Returns

the list of CA DNs. You should unref each element with g_byte_array_unref() and then the free the list with g_list_free().

[element-type GByteArray][transfer full]

Since: 2.28


g_tls_client_connection_copy_session_state ()

void
g_tls_client_connection_copy_session_state
                               (GTlsClientConnection *conn,
                                GTlsClientConnection *source);

Copies session state from one connection to another. This is not normally needed, but may be used when the same session needs to be used between different endpoints as is required by some protocols such as FTP over TLS. source should have already completed a handshake, and conn should not have completed a handshake.

Parameters

Since: 2.46

Types and Values

GTlsClientConnection

typedef struct _GTlsClientConnection GTlsClientConnection;

Abstract base class for the backend-specific client connection type.

Since: 2.28


struct GTlsClientConnectionInterface

struct GTlsClientConnectionInterface {
  GTypeInterface g_iface;

  void     ( *copy_session_state )     (GTlsClientConnection       *conn,
                                        GTlsClientConnection       *source);
};

vtable for a GTlsClientConnection implementation.

Members

copy_session_state ()

Copies session state from one GTlsClientConnection to another.

 

Since: 2.26

Property Details

The “accepted-cas” property

  “accepted-cas”             gpointer

A list of the distinguished names of the Certificate Authorities that the server will accept client certificates signed by. If the server requests a client certificate during the handshake, then this property will be set after the handshake completes.

Each item in the list is a GByteArray which contains the complete subject DN of the certificate authority.

[element-type GLib.ByteArray]

Flags: Read

Since: 2.28


The “server-identity” property

  “server-identity”          GSocketConnectable *

A GSocketConnectable describing the identity of the server that is expected on the other end of the connection.

If the G_TLS_CERTIFICATE_BAD_IDENTITY flag is set in “validation-flags”, this object will be used to determine the expected identify of the remote end of the connection; if “server-identity” is not set, or does not match the identity presented by the server, then the G_TLS_CERTIFICATE_BAD_IDENTITY validation will fail.

In addition to its use in verifying the server certificate, this is also used to give a hint to the server about what certificate we expect, which is useful for servers that serve virtual hosts.

Flags: Read / Write / Construct

Since: 2.28


The “use-ssl3” property

  “use-ssl3”                 gboolean

If TRUE, tells the connection to use a fallback version of TLS or SSL, rather than trying to negotiate the best version of TLS to use. This can be used when talking to servers that don't implement version negotiation correctly and therefore refuse to handshake at all with a "modern" TLS handshake.

Despite the property name, the fallback version is not necessarily SSL 3.0; if SSL 3.0 has been disabled, the GTlsClientConnection will use the next highest available version (normally TLS 1.0) as the fallback version.

Flags: Read / Write / Construct

Default value: FALSE

Since: 2.28


The “validation-flags” property

  “validation-flags”         GTlsCertificateFlags

What steps to perform when validating a certificate received from a server. Server certificates that fail to validate in all of the ways indicated here will be rejected unless the application overrides the default via “accept-certificate”.

Flags: Read / Write / Construct

Default value: G_TLS_CERTIFICATE_UNKNOWN_CA | G_TLS_CERTIFICATE_BAD_IDENTITY | G_TLS_CERTIFICATE_NOT_ACTIVATED | G_TLS_CERTIFICATE_EXPIRED | G_TLS_CERTIFICATE_REVOKED | G_TLS_CERTIFICATE_INSECURE | G_TLS_CERTIFICATE_GENERIC_ERROR

Since: 2.28