Top |
Functions
Properties
GIOStream * | base-io-stream | Read / Write / Construct Only |
GTlsCertificate * | certificate | Read / Write |
GTlsDatabase * | database | Read / Write |
GTlsInteraction * | interaction | Read / Write |
GTlsCertificate * | peer-certificate | Read |
GTlsCertificateFlags | peer-certificate-errors | Read |
GTlsRehandshakeMode | rehandshake-mode | Read / Write / Construct |
gboolean | require-close-notify | Read / Write / Construct |
gboolean | use-system-certdb | Read / Write / Construct |
Known Derived Interfaces
GTlsConnection is required by GTlsClientConnection and GTlsServerConnection.
Description
GTlsConnection is the base TLS connection class type, which wraps a GIOStream and provides TLS encryption on top of it. Its subclasses, GTlsClientConnection and GTlsServerConnection, implement client-side and server-side TLS, respectively.
For DTLS (Datagram TLS) support, see GDtlsConnection.
Functions
g_tls_connection_set_certificate ()
void g_tls_connection_set_certificate (GTlsConnection *conn
,GTlsCertificate *certificate
);
This sets the certificate that conn
will present to its peer
during the TLS handshake. For a GTlsServerConnection, it is
mandatory to set this, and that will normally be done at construct
time.
For a GTlsClientConnection, this is optional. If a handshake fails
with G_TLS_ERROR_CERTIFICATE_REQUIRED
, that means that the server
requires a certificate, and if you try connecting again, you should
call this method first. You can call
g_tls_client_connection_get_accepted_cas()
on the failed connection
to get a list of Certificate Authorities that the server will
accept certificates from.
(It is also possible that a server will allow the connection with
or without a certificate; in that case, if you don't provide a
certificate, you can tell that the server requested one by the fact
that g_tls_client_connection_get_accepted_cas()
will return
non-NULL
.)
Since: 2.28
g_tls_connection_get_certificate ()
GTlsCertificate *
g_tls_connection_get_certificate (GTlsConnection *conn
);
Gets conn
's certificate, as set by
g_tls_connection_set_certificate()
.
Since: 2.28
g_tls_connection_get_peer_certificate ()
GTlsCertificate *
g_tls_connection_get_peer_certificate (GTlsConnection *conn
);
Gets conn
's peer's certificate after the handshake has completed.
(It is not set during the emission of
“accept-certificate”.)
Since: 2.28
g_tls_connection_get_peer_certificate_errors ()
GTlsCertificateFlags
g_tls_connection_get_peer_certificate_errors
(GTlsConnection *conn
);
Gets the errors associated with validating conn
's peer's
certificate, after the handshake has completed. (It is not set
during the emission of “accept-certificate”.)
Since: 2.28
g_tls_connection_set_require_close_notify ()
void g_tls_connection_set_require_close_notify (GTlsConnection *conn
,gboolean require_close_notify
);
Sets whether or not conn
expects a proper TLS close notification
before the connection is closed. If this is TRUE
(the default),
then conn
will expect to receive a TLS close notification from its
peer before the connection is closed, and will return a
G_TLS_ERROR_EOF
error if the connection is closed without proper
notification (since this may indicate a network error, or
man-in-the-middle attack).
In some protocols, the application will know whether or not the
connection was closed cleanly based on application-level data
(because the application-level data includes a length field, or is
somehow self-delimiting); in this case, the close notify is
redundant and sometimes omitted. (TLS 1.1 explicitly allows this;
in TLS 1.0 it is technically an error, but often done anyway.) You
can use g_tls_connection_set_require_close_notify()
to tell conn
to allow an "unannounced" connection close, in which case the close
will show up as a 0-length read, as in a non-TLS
GSocketConnection, and it is up to the application to check that
the data has been fully received.
Note that this only affects the behavior when the peer closes the
connection; when the application calls g_io_stream_close()
itself
on conn
, this will send a close notification regardless of the
setting of this property. If you explicitly want to do an unclean
close, you can close conn
's “base-io-stream” rather
than closing conn
itself, but note that this may only be done when no other
operations are pending on conn
or the base I/O stream.
Since: 2.28
g_tls_connection_get_require_close_notify ()
gboolean
g_tls_connection_get_require_close_notify
(GTlsConnection *conn
);
Tests whether or not conn
expects a proper TLS close notification
when the connection is closed. See
g_tls_connection_set_require_close_notify()
for details.
Since: 2.28
g_tls_connection_set_rehandshake_mode ()
void g_tls_connection_set_rehandshake_mode (GTlsConnection *conn
,GTlsRehandshakeMode mode
);
Sets how conn
behaves with respect to rehandshaking requests.
G_TLS_REHANDSHAKE_NEVER
means that it will never agree to
rehandshake after the initial handshake is complete. (For a client,
this means it will refuse rehandshake requests from the server, and
for a server, this means it will close the connection with an error
if the client attempts to rehandshake.)
G_TLS_REHANDSHAKE_SAFELY
means that the connection will allow a
rehandshake only if the other end of the connection supports the
TLS renegotiation_info
extension. This is the default behavior,
but means that rehandshaking will not work against older
implementations that do not support that extension.
G_TLS_REHANDSHAKE_UNSAFELY
means that the connection will allow
rehandshaking even without the renegotiation_info
extension. On
the server side in particular, this is not recommended, since it
leaves the server open to certain attacks. However, this mode is
necessary if you need to allow renegotiation with older client
software.
Since: 2.28
g_tls_connection_get_rehandshake_mode ()
GTlsRehandshakeMode
g_tls_connection_get_rehandshake_mode (GTlsConnection *conn
);
Gets conn
rehandshaking mode. See
g_tls_connection_set_rehandshake_mode()
for details.
Since: 2.28
g_tls_connection_set_use_system_certdb ()
void g_tls_connection_set_use_system_certdb (GTlsConnection *conn
,gboolean use_system_certdb
);
g_tls_connection_set_use_system_certdb
has been deprecated since version 2.30 and should not be used in newly-written code.
Use g_tls_connection_set_database()
instead
Sets whether conn
uses the system certificate database to verify
peer certificates. This is TRUE
by default. If set to FALSE
, then
peer certificate validation will always set the
G_TLS_CERTIFICATE_UNKNOWN_CA
error (meaning
“accept-certificate” will always be emitted on
client-side connections, unless that bit is not set in
“validation-flags”).
g_tls_connection_get_use_system_certdb ()
gboolean
g_tls_connection_get_use_system_certdb
(GTlsConnection *conn
);
g_tls_connection_get_use_system_certdb
has been deprecated since version 2.30 and should not be used in newly-written code.
Use g_tls_connection_get_database()
instead
Gets whether conn
uses the system certificate database to verify
peer certificates. See g_tls_connection_set_use_system_certdb()
.
g_tls_connection_get_database ()
GTlsDatabase *
g_tls_connection_get_database (GTlsConnection *conn
);
Gets the certificate database that conn
uses to verify
peer certificates. See g_tls_connection_set_database()
.
Since: 2.30
g_tls_connection_set_database ()
void g_tls_connection_set_database (GTlsConnection *conn
,GTlsDatabase *database
);
Sets the certificate database that is used to verify peer certificates.
This is set to the default database by default. See
g_tls_backend_get_default_database()
. If set to NULL
, then
peer certificate validation will always set the
G_TLS_CERTIFICATE_UNKNOWN_CA
error (meaning
“accept-certificate” will always be emitted on
client-side connections, unless that bit is not set in
“validation-flags”).
Since: 2.30
g_tls_connection_get_interaction ()
GTlsInteraction *
g_tls_connection_get_interaction (GTlsConnection *conn
);
Get the object that will be used to interact with the user. It will be used
for things like prompting the user for passwords. If NULL
is returned, then
no user interaction will occur for this connection.
Since: 2.30
g_tls_connection_set_interaction ()
void g_tls_connection_set_interaction (GTlsConnection *conn
,GTlsInteraction *interaction
);
Set the object that will be used to interact with the user. It will be used for things like prompting the user for passwords.
The interaction
argument will normally be a derived subclass of
GTlsInteraction. NULL
can also be provided if no user interaction
should occur for this connection.
Since: 2.30
g_tls_connection_handshake ()
gboolean g_tls_connection_handshake (GTlsConnection *conn
,GCancellable *cancellable
,GError **error
);
Attempts a TLS handshake on conn
.
On the client side, it is never necessary to call this method;
although the connection needs to perform a handshake after
connecting (or after sending a "STARTTLS"-type command) and may
need to rehandshake later if the server requests it,
GTlsConnection will handle this for you automatically when you try
to send or receive data on the connection. However, you can call
g_tls_connection_handshake()
manually if you want to know for sure
whether the initial handshake succeeded or failed (as opposed to
just immediately trying to write to conn
's output stream, in which
case if it fails, it may not be possible to tell if it failed
before or after completing the handshake).
Likewise, on the server side, although a handshake is necessary at
the beginning of the communication, you do not need to call this
function explicitly unless you want clearer error reporting.
However, you may call g_tls_connection_handshake()
later on to
renegotiate parameters (encryption methods, etc) with the client.
“accept_certificate” may be emitted during the handshake.
Since: 2.28
g_tls_connection_handshake_async ()
void g_tls_connection_handshake_async (GTlsConnection *conn
,int io_priority
,GCancellable *cancellable
,GAsyncReadyCallback callback
,gpointer user_data
);
Asynchronously performs a TLS handshake on conn
. See
g_tls_connection_handshake()
for more information.
Parameters
conn |
||
io_priority |
the I/O priority of the request |
|
cancellable |
a GCancellable, or |
[nullable] |
callback |
callback to call when the handshake is complete |
|
user_data |
the data to pass to the callback function |
Since: 2.28
g_tls_connection_handshake_finish ()
gboolean g_tls_connection_handshake_finish (GTlsConnection *conn
,GAsyncResult *result
,GError **error
);
Finish an asynchronous TLS handshake operation. See
g_tls_connection_handshake()
for more information.
Since: 2.28
g_tls_connection_emit_accept_certificate ()
gboolean g_tls_connection_emit_accept_certificate (GTlsConnection *conn
,GTlsCertificate *peer_cert
,GTlsCertificateFlags errors
);
Used by GTlsConnection implementations to emit the “accept-certificate” signal.
Since: 2.28
Types and Values
GTlsConnection
typedef struct _GTlsConnection GTlsConnection;
Abstract base class for the backend-specific GTlsClientConnection and GTlsServerConnection types.
Since: 2.28
enum GTlsRehandshakeMode
When to allow rehandshaking. See
g_tls_connection_set_rehandshake_mode()
.
Since: 2.28
Property Details
The “base-io-stream”
property
“base-io-stream” GIOStream *
The GIOStream that the connection wraps. The connection holds a reference to this stream, and may run operations on the stream from other threads throughout its lifetime. Consequently, after the GIOStream has been constructed, application code may only run its own operations on this stream when no GIOStream operations are running.
Flags: Read / Write / Construct Only
Since: 2.28
The “certificate”
property
“certificate” GTlsCertificate *
The connection's certificate; see
g_tls_connection_set_certificate()
.
Flags: Read / Write
Since: 2.28
The “database”
property
“database” GTlsDatabase *
The certificate database to use when verifying this TLS connection.
If no certificate database is set, then the default database will be
used. See g_tls_backend_get_default_database()
.
Flags: Read / Write
Since: 2.30
The “interaction”
property
“interaction” GTlsInteraction *
A GTlsInteraction object to be used when the connection or certificate database need to interact with the user. This will be used to prompt the user for passwords where necessary.
Flags: Read / Write
Since: 2.30
The “peer-certificate”
property
“peer-certificate” GTlsCertificate *
The connection's peer's certificate, after the TLS handshake has completed and the certificate has been accepted. Note in particular that this is not yet set during the emission of “accept-certificate”.
(You can watch for a “notify” signal on this property to detect when a handshake has occurred.)
Flags: Read
Since: 2.28
The “peer-certificate-errors”
property
“peer-certificate-errors” GTlsCertificateFlags
The errors noticed-and-ignored while verifying
“peer-certificate”. Normally this should be 0, but
it may not be if “validation-flags” is not
G_TLS_CERTIFICATE_VALIDATE_ALL
, or if
“accept-certificate” overrode the default
behavior.
Flags: Read
Since: 2.28
The “rehandshake-mode”
property
“rehandshake-mode” GTlsRehandshakeMode
The rehandshaking mode. See
g_tls_connection_set_rehandshake_mode()
.
Flags: Read / Write / Construct
Default value: G_TLS_REHANDSHAKE_SAFELY
Since: 2.28
The “require-close-notify”
property
“require-close-notify” gboolean
Whether or not proper TLS close notification is required.
See g_tls_connection_set_require_close_notify()
.
Flags: Read / Write / Construct
Default value: TRUE
Since: 2.28
The “use-system-certdb”
property
“use-system-certdb” gboolean
Whether or not the system certificate database will be used to
verify peer certificates. See
g_tls_connection_set_use_system_certdb()
.
GTlsConnection:use-system-certdb
has been deprecated since version 2.30 and should not be used in newly-written code.
Use GTlsConnection:database instead
Flags: Read / Write / Construct
Default value: TRUE
Signal Details
The “accept-certificate”
signal
gboolean user_function (GTlsConnection *conn, GTlsCertificate *peer_cert, GTlsCertificateFlags errors, gpointer user_data)
Emitted during the TLS handshake after the peer certificate has
been received. You can examine peer_cert
's certification path by
calling g_tls_certificate_get_issuer()
on it.
For a client-side connection, peer_cert
is the server's
certificate, and the signal will only be emitted if the
certificate was not acceptable according to conn
's
“validation_flags”. If you would like the
certificate to be accepted despite errors
, return TRUE
from the
signal handler. Otherwise, if no handler accepts the certificate,
the handshake will fail with G_TLS_ERROR_BAD_CERTIFICATE
.
For a server-side connection, peer_cert
is the certificate
presented by the client, if this was requested via the server's
“authentication_mode”. On the server side,
the signal is always emitted when the client presents a
certificate, and the certificate will only be accepted if a
handler returns TRUE
.
Note that if this signal is emitted as part of asynchronous I/O
in the main thread, then you should not attempt to interact with
the user before returning from the signal handler. If you want to
let the user decide whether or not to accept the certificate, you
would have to return FALSE
from the signal handler on the first
attempt, and then after the connection attempt returns a
G_TLS_ERROR_HANDSHAKE
, you can interact with the user, and if
the user decides to accept the certificate, remember that fact,
create a new connection, and return TRUE
from the signal handler
the next time.
If you are doing I/O in another thread, you do not need to worry about this, and can simply block in the signal handler until the UI thread returns an answer.
Parameters
conn |
||
peer_cert |
the peer's GTlsCertificate |
|
errors |
the problems with |
|
user_data |
user data set when the signal handler was connected. |
Returns
TRUE
to accept peer_cert
(which will also
immediately end the signal emission). FALSE
to allow the signal
emission to continue, which will cause the handshake to fail if
no one else overrides it.
Flags: Run Last
Since: 2.28