gnutls_certificate_set_retrieve_function3 — API function


#include <gnutls/abstract.h>

void gnutls_certificate_set_retrieve_function3(gnutls_certificate_credentials_t cred, gnutls_certificate_retrieve_function3 * func);


gnutls_certificate_credentials_t cred

is a gnutls_certificate_credentials_t type.

gnutls_certificate_retrieve_function3 * func

is the callback function


This function sets a callback to be called in order to retrieve the certificate and OCSP responses to be used in the handshake.  func will be called only if the peer requests a certificate either during handshake or during post-handshake authentication.

The callback's function prototype is defined in `abstract.h':

int gnutls_certificate_retrieve_function3( gnutls_session_t, const struct gnutls_cert_retr_st *info, gnutls_pcert_st **certs, unsigned int *pcert_length, gnutls_ocsp_data_st **ocsp, unsigned int *ocsp_length, gnutls_privkey_t *privkey, unsigned int *flags);

The info field of the callback contains:
req_ca_dn which is a list with the CA names that the server considers trusted. This is a hint and typically the client should send a certificate that is signed by one of these CAs. These names, when available, are DER encoded. To get a more meaningful value use the function gnutls_x509_rdn_get().
pk_algos contains a list with server's acceptable public key algorithms. The certificate returned should support the server's given algorithms.

The callback should fill-in the following values.

pcert should contain an allocated list of certificates and public keys.
pcert_length is the size of the previous list.
ocsp should contain an allocated list of OCSP responses.
ocsp_length is the size of the previous list.
pkey is the private key.

If flags in the callback are set to GNUTLS_CERT_RETR_DEINIT_ALL then all provided values must be allocated using gnutls_malloc(), and will be released by gnutls; otherwise they will not be touched by gnutls.

The callback function should set the certificate and OCSP response list to be sent, and return 0 on success. If no certificates are available, the  pcert_length and  ocsp_length should be set to zero. The return value (-1) indicates error and the handshake will be terminated. If both certificates are set in the credentials and a callback is available, the callback takes predence.



Reporting Bugs

Report bugs to <>.
Home page:

See Also

The full documentation for gnutls is maintained as a Texinfo manual. If the /usr/share/doc/gnutls/ directory does not contain the HTML form visit


3.6.9 gnutls