Next: , Previous: , Up: How to use GnuTLS in applications   [Contents][Index]

6.3 Session initialization

In the previous sections we have discussed the global initialization required for GnuTLS as well as the initialization required for each authentication method’s credentials (see Authentication). In this section we elaborate on the TLS or DTLS session initiation. Each session is initialized using gnutls_init which among others is used to specify the type of the connection (server or client), and the underlying protocol type, i.e., datagram (UDP) or reliable (TCP).

Function: int gnutls_init (gnutls_session_t * session, unsigned int flags)

session: is a pointer to a gnutls_session_t type.

flags: indicate if this session is to be used for server or client.

This function initializes the provided session. Every session must be initialized before use, and must be deinitialized after used by calling gnutls_deinit() .

flags can be any combination of flags from gnutls_init_flags_t .

Note that since version 3.1.2 this function enables some common TLS extensions such as session tickets and OCSP certificate status request in client side by default. To prevent that use the GNUTLS_NO_EXTENSIONS flag.

Returns: GNUTLS_E_SUCCESS on success, or an error code.


Connection end is a server.


Connection end is a client.


Connection is datagram oriented (DTLS). Since 3.0.0.


Connection should not block. Since 3.0.0.


Do not enable any TLS extensions by default (since 3.1.2).


Disable any replay protection in DTLS. This must only be used if replay protection is achieved using other means. Since 3.2.2.


In systems where SIGPIPE is delivered on send, it will be disabled. That flag has effect in systems which support the MSG_NOSIGNAL sockets flag (since 3.4.2).


Allow the peer to replace its certificate, or change its ID during a rehandshake. This change is often used in attacks and thus prohibited by default. Since 3.5.0.


Enable the TLS false start on client side if the negotiated ciphersuites allow it. This will enable sending data prior to the handshake being complete, and may introduce a risk of crypto failure when combined with certain key exchanged; for that GnuTLS may not enable that option in ciphersuites that are known to be not safe for false start. Since 3.5.0.


When in client side and only a single cert is specified, send that certificate irrespective of the issuers expected by the server. Since 3.5.0.


Flag to indicate that the session should not use resumption with session tickets.

Figure 6.2: The gnutls_init_flags_t enumeration.

After the session initialization details on the allowed ciphersuites and protocol versions should be set using the priority functions such as gnutls_priority_set and gnutls_priority_set_direct. We elaborate on them in Priority Strings. The credentials used for the key exchange method, such as certificates or usernames and passwords should also be associated with the session current session using gnutls_credentials_set.

Function: int gnutls_credentials_set (gnutls_session_t session, gnutls_credentials_type_t type, void * cred)

session: is a gnutls_session_t type.

type: is the type of the credentials

cred: the credentials to set

Sets the needed credentials for the specified type. E.g. username, password - or public and private keys etc. The cred parameter is a structure that depends on the specified type and on the current session (client or server).

In order to minimize memory usage, and share credentials between several threads gnutls keeps a pointer to cred, and not the whole cred structure. Thus you will have to keep the structure allocated until you call gnutls_deinit() .

For GNUTLS_CRD_ANON , cred should be gnutls_anon_client_credentials_t in case of a client. In case of a server it should be gnutls_anon_server_credentials_t .

For GNUTLS_CRD_SRP , cred should be gnutls_srp_client_credentials_t in case of a client, and gnutls_srp_server_credentials_t , in case of a server.

For GNUTLS_CRD_CERTIFICATE , cred should be gnutls_certificate_credentials_t .

Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code is returned.

Next: , Previous: , Up: How to use GnuTLS in applications   [Contents][Index]