cha-shared-key.texi cha-gtls-examples.texi
# Examples.
-gnutls_TEXINFOS += examples/ex-client1.c \
+gnutls_TEXINFOS += examples/ex-client-anon.c \
examples/ex-session-info.c examples/ex-verify.c \
examples/ex-cert-select.c examples/ex-client-resume.c \
- examples/ex-client-srp.c examples/ex-rfc2818.c \
- examples/ex-serv1.c examples/ex-serv-anon.c \
+ examples/ex-client-srp.c examples/ex-client-x509.c \
+ examples/ex-serv-x509.c examples/ex-serv-anon.c \
examples/ex-serv-pgp.c examples/ex-serv-srp.c \
examples/ex-alert.c examples/ex-x509-info.c examples/ex-crq.c \
- examples/ex-pkcs12.c
+ examples/ex-pkcs12.c examples/ex-client-dtls.c
# Images. Make sure there are eps + png + pdf of each, plus the source dia.
gnutls_TEXINFOS += gnutls-internals.dia gnutls-internals.eps \
* Setting up the transport layer::
* TLS handshake::
* Data transfer and termination::
+* Handling alerts::
* Priority Strings::
* Advanced and other topics::
* Using the cryptographic library::
@showfuncdesc{gnutls_bye}
@showfuncdesc{gnutls_deinit}
+@node Handling alerts
+@section Handling alerts
+During a TLS connection alert messages may be exchanged by the
+two peers. Those messages may be fatal, meaning the connection
+must be terminated afterwards, or warning when something needs
+to be reported to the peer, but without interrupting the session.
+The error codes @code{GNUTLS_E_WARNING_ALERT_RECEIVED}
+or @code{GNUTLS_E_FATAL_ALERT_RECEIVED} signal those alerts
+when received, and may be returned by all GnuTLS functions that receive
+data from the peer, being @funcref{gnutls_handshake} and @funcref{gnutls_record_recv}.
+Alerts messages may be sent to the peer using @funcref{gnutls_alert_send}.
+
+@showfuncdesc{gnutls_alert_get}
+
+@showfuncdesc{gnutls_alert_send}
+
+@showfuncB{gnutls_error_to_alert,gnutls_alert_get_name}
+
@node Priority Strings
@section Priority strings
* Obtaining session information::
* Using a callback to select the certificate to use::
* Verifying a certificate::
-* Client using a PKCS 11 token with TLS::
+* Client using a smart card with TLS::
* Client with Resume capability example::
* Simple client example with SRP authentication::
* Simple client example in C++::
authentication. This means no external certificates or passwords are
needed to set up the connection. As could be expected, the connection
is vulnerable to man-in-the-middle (active or redirection) attacks.
-However, the data is integrity and privacy protected.
+However, the data are integrity protected and encrypted from
+passive eavesdroppers.
-@verbatiminclude examples/ex-client1.c
+@verbatiminclude examples/ex-client-anon.c
@node Simple client example with X.509 certificate support
@subsection Simple client example with @acronym{X.509} certificate support
functions for certificates, but does not support session
resumption.
-@verbatiminclude examples/ex-rfc2818.c
+@verbatiminclude examples/ex-client-x509.c
@node Simple Datagram TLS client example
@subsection Simple datagram @acronym{TLS} client example
This is a client that uses @acronym{UDP} to connect to a
-server. This is the @acronym{DTLS} equivalent to the example
-in @ref{Simple client example with X.509 certificate support}.
+server. This is the @acronym{DTLS} equivalent to the TLS example
+with X.509 certificates.
-@verbatiminclude examples/ex-client-udp.c
+@verbatiminclude examples/ex-client-dtls.c
@node Obtaining session information
@subsection Obtaining session information
@verbatiminclude examples/ex-verify.c
-@node Client using a PKCS 11 token with TLS
-@subsection Using a @acronym{PKCS} #11 token with TLS
+@node Client using a smart card with TLS
+@subsection Using a smart card with TLS
@anchor{ex:pkcs11-client}
+@cindex Smart card example
This example will demonstrate how to load keys and certificates
-from a @acronym{PKCS} #11 token, and use it with a TLS connection.
+from a smart-card or any other @acronym{PKCS} #11 token, and
+use it in a TLS connection.
@verbatiminclude examples/ex-cert-select-pkcs11.c
* Echo server with OpenPGP authentication::
* Echo server with SRP authentication::
* Echo server with anonymous authentication::
-* Echo DTLS server with X.509 authentication::
+* DTLS echo server with X.509 authentication::
@end menu
@node Echo server with X.509 authentication
This example is a very simple echo server which supports
@acronym{X.509} authentication.
-@verbatiminclude examples/ex-serv1.c
+@verbatiminclude examples/ex-serv-x509.c
@node Echo server with OpenPGP authentication
@subsection Echo server with @acronym{OpenPGP} authentication
@verbatiminclude examples/ex-serv-anon.c
-@node Echo DTLS server with X.509 authentication
-@subsection Echo DTLS server with @acronym{X.509} authentication
+@node DTLS echo server with X.509 authentication
+@subsection DTLS echo server with @acronym{X.509} authentication
This example is a very simple echo server using Datagram TLS and
@acronym{X.509} authentication.
prevent future re-negotiations using the current session ID. All alert
messages are summarized in @ref{tab:alerts}.
-
The alert messages are protected by the record protocol, thus the
information that is included does not leak. You must take extreme care
for the alert information not to leak to a possible attacker, via
-public log files etc. The available functions to control the alert
-protocol are shown below.
-
-@showfuncdesc{gnutls_alert_get}
-
-@showfuncdesc{gnutls_alert_send}
-
-@showfuncB{gnutls_error_to_alert,gnutls_alert_get_name}
+public log files etc.
@include alerts.texi
CXX_LDADD = $(LDADD) \
../../lib/libgnutlsxx.la
-noinst_PROGRAMS = ex-client-resume ex-client-udp
-noinst_PROGRAMS += ex-cert-select ex-rfc2818
+noinst_PROGRAMS = ex-client-resume ex-client-dtls
+noinst_PROGRAMS += ex-cert-select ex-client-x509
if ENABLE_PKI
-noinst_PROGRAMS += ex-crq ex-serv1 ex-serv-dtls
+noinst_PROGRAMS += ex-crq ex-serv-x509 ex-serv-dtls
endif
if ENABLE_CXX
endif
if ENABLE_ANON
-noinst_PROGRAMS += ex-client1 ex-serv-anon
+noinst_PROGRAMS += ex-client-anon ex-serv-anon
endif
if ENABLE_OPENPGP
/* Perform the TLS handshake
*/
- ret = gnutls_handshake (session);
+ do
+ {
+ ret = gnutls_handshake (session);
+ }
+ while (gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
{
/* put the x509 credentials to the current session */
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+ gnutls_server_name_set (session, GNUTLS_NAME_DNS, "my_host_name",
+ strlen("my_host_name"));
/* connect to the peer */
sd = udp_connect ();
gnutls_dtls_set_mtu (session, 1000);
/* Perform the TLS handshake */
- ret = gnutls_handshake (session);
+ do
+ {
+ ret = gnutls_handshake (session);
+ }
+ while (gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
{
/* Perform the TLS handshake
*/
- ret = gnutls_handshake (session);
+ do
+ {
+ ret = gnutls_handshake (session);
+ }
+ while (gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
{
/* Perform the TLS handshake
*/
- ret = gnutls_handshake (session);
+ do
+ {
+ ret = gnutls_handshake (session);
+ }
+ while (gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
{
/* Perform the TLS handshake
*/
- ret = gnutls_handshake (session);
+ do
+ {
+ ret = gnutls_handshake (session);
+ }
+ while (gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
{
gnutls_init (&session, GNUTLS_CLIENT);
gnutls_session_set_ptr (session, (void *) "my_host_name");
+ gnutls_server_name_set (session, GNUTLS_NAME_DNS, "my_host_name",
+ strlen("my_host_name"));
/* Use default priorities */
ret = gnutls_priority_set_direct (session, "NORMAL", &err);
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
- ret = gnutls_handshake (session);
+
+ do
+ {
+ ret = gnutls_handshake (session);
+ }
+ while (gnutls_error_is_fatal (ret) == 0);
+
if (ret < 0)
{
close (sd);
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
- ret = gnutls_handshake (session);
+
+ do
+ {
+ ret = gnutls_handshake (session);
+ }
+ while (gnutls_error_is_fatal (ret) == 0);
+
if (ret < 0)
{
close (sd);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
- /* request client certificate if any.
+ /* We don't request any certificate from the client.
+ * If we did we would need to verify it.
*/
- gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
+ gnutls_certificate_server_set_request (session, GNUTLS_CERT_IGNORE);
return session;
}
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
- ret = gnutls_handshake (session);
+
+ do
+ {
+ ret = gnutls_handshake (session);
+ }
+ while (gnutls_error_is_fatal (ret) == 0);
+
if (ret < 0)
{
close (sd);