Emacs Online Documentation

gnutls-negotiate

gnutls-negotiate is an autoloaded compiled Lisp function in `gnutls.el'.

(gnutls-negotiate &rest SPEC &key PROCESS TYPE HOSTNAME PRIORITY-STRING TRUSTFILES CRLFILES KEYLIST MIN-PRIME-BITS VERIFY-FLAGS VERIFY-ERROR VERIFY-HOSTNAME-ERROR &allow-other-keys)

Negotiate a SSL/TLS connection. Returns proc. Signals gnutls-error.

Note arguments are passed CL style, :type TYPE instead of just TYPE.

TYPE is `gnutls-x509pki' (default) or `gnutls-anon'. Use nil for the default.
PROCESS is a process returned by `open-network-stream'.
HOSTNAME is the remote hostname. It must be a valid string.
PRIORITY-STRING is as per the GnuTLS docs, default is "NORMAL".
TRUSTFILES is a list of CA bundles. It defaults to `gnutls-trustfiles'.
CRLFILES is a list of CRL files.
KEYLIST is an alist of (client key file, client cert file) pairs.
MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys
(see `gnutls-min-prime-bits' for more information). Use nil for the
default.

VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
putting `:hostname' in VERIFY-ERROR.

When VERIFY-ERROR is t or a list containing `:trustfiles', an
error will be raised when the peer certificate verification fails
as per GnuTLS' gnutls_certificate_verify_peers2. Otherwise, only
warnings will be shown about the verification failure.

When VERIFY-ERROR is t or a list containing `:hostname', an error
will be raised when the hostname does not match the presented
certificate's host name. The exact verification algorithm is a
basic implementation of the matching described in
RFC2818 (HTTPS), which takes into account wildcards, and the
DNSName/IPAddress subject alternative name PKIX extension. See
GnuTLS' gnutls_x509_crt_check_hostname for details. Otherwise,
only a warning will be issued.

Note that the list in `gnutls-verify-error', matched against the
HOSTNAME, is the default VERIFY-ERROR.

VERIFY-FLAGS is a numeric OR of verification flags only for
`gnutls-x509pki' connections. See GnuTLS' x509.h for details;
here's a recent version of the list.

GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256

It must be omitted, a number, or nil; if omitted or nil it
defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.