Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
@c gnutls_cipher_algorithm_t
@table @code
@item GNUTLS_@-CIPHER_@-UNKNOWN
Value to identify an unknown/unsupported algorithm.
@item GNUTLS_@-CIPHER_@-NULL
The NULL (identity) encryption algorithm.
@item GNUTLS_@-CIPHER_@-ARCFOUR_@-128
ARCFOUR stream cipher with 128-bit keys.
@item GNUTLS_@-CIPHER_@-3DES_@-CBC
3DES in CBC mode.
@item GNUTLS_@-CIPHER_@-AES_@-128_@-CBC
AES in CBC mode with 128-bit keys.
@item GNUTLS_@-CIPHER_@-AES_@-256_@-CBC
AES in CBC mode with 256-bit keys.
@item GNUTLS_@-CIPHER_@-ARCFOUR_@-40
ARCFOUR stream cipher with 40-bit keys.
@item GNUTLS_@-CIPHER_@-CAMELLIA_@-128_@-CBC
Camellia in CBC mode with 128-bit keys.
@item GNUTLS_@-CIPHER_@-CAMELLIA_@-256_@-CBC
Camellia in CBC mode with 256-bit keys.
@item GNUTLS_@-CIPHER_@-AES_@-192_@-CBC
AES in CBC mode with 192-bit keys.
@item GNUTLS_@-CIPHER_@-AES_@-128_@-GCM
AES in GCM mode with 128-bit keys (AEAD).
@item GNUTLS_@-CIPHER_@-AES_@-256_@-GCM
AES in GCM mode with 256-bit keys (AEAD).
@item GNUTLS_@-CIPHER_@-CAMELLIA_@-192_@-CBC
Camellia in CBC mode with 192-bit keys.
@item GNUTLS_@-CIPHER_@-SALSA20_@-256
Salsa20 with 256-bit keys.
@item GNUTLS_@-CIPHER_@-ESTREAM_@-SALSA20_@-256
Estream's Salsa20 variant with 256-bit keys.
@item GNUTLS_@-CIPHER_@-CAMELLIA_@-128_@-GCM
CAMELLIA in GCM mode with 128-bit keys (AEAD).
@item GNUTLS_@-CIPHER_@-CAMELLIA_@-256_@-GCM
CAMELLIA in GCM mode with 256-bit keys (AEAD).
@item GNUTLS_@-CIPHER_@-RC2_@-40_@-CBC
RC2 in CBC mode with 40-bit keys.
@item GNUTLS_@-CIPHER_@-DES_@-CBC
DES in CBC mode (56-bit keys).
@item GNUTLS_@-CIPHER_@-AES_@-128_@-CCM
AES in CCM mode with 128-bit keys (AEAD).
@item GNUTLS_@-CIPHER_@-AES_@-256_@-CCM
AES in CCM mode with 256-bit keys (AEAD).
@item GNUTLS_@-CIPHER_@-AES_@-128_@-CCM_@-8
AES in CCM mode with 64-bit tag and 128-bit keys (AEAD).
@item GNUTLS_@-CIPHER_@-AES_@-256_@-CCM_@-8
AES in CCM mode with 64-bit tag and 256-bit keys (AEAD).
@item GNUTLS_@-CIPHER_@-CHACHA20_@-POLY1305
The Chacha20 cipher with the Poly1305 authenticator (AEAD).
@item GNUTLS_@-CIPHER_@-GOST28147_@-TC26Z_@-CFB
GOST 28147-89 (Magma) cipher in CFB mode with TC26 Z S-box.
@item GNUTLS_@-CIPHER_@-GOST28147_@-CPA_@-CFB
GOST 28147-89 (Magma) cipher in CFB mode with CryptoPro A S-box.
@item GNUTLS_@-CIPHER_@-GOST28147_@-CPB_@-CFB
GOST 28147-89 (Magma) cipher in CFB mode with CryptoPro B S-box.
@item GNUTLS_@-CIPHER_@-GOST28147_@-CPC_@-CFB
GOST 28147-89 (Magma) cipher in CFB mode with CryptoPro C S-box.
@item GNUTLS_@-CIPHER_@-GOST28147_@-CPD_@-CFB
GOST 28147-89 (Magma) cipher in CFB mode with CryptoPro D S-box.
@item GNUTLS_@-CIPHER_@-AES_@-128_@-CFB8
AES in CFB8 mode with 128-bit keys.
@item GNUTLS_@-CIPHER_@-AES_@-192_@-CFB8
AES in CFB8 mode with 192-bit keys.
@item GNUTLS_@-CIPHER_@-AES_@-256_@-CFB8
AES in CFB8 mode with 256-bit keys.
@item GNUTLS_@-CIPHER_@-AES_@-128_@-XTS
AES in XTS mode with 128-bit key + 128bit tweak key.
@item GNUTLS_@-CIPHER_@-AES_@-256_@-XTS
AES in XTS mode with 256-bit key + 256bit tweak key.
Note that the XTS ciphers are message oriented.
The whole message needs to be provided with a single call, because
cipher-stealing requires to know where the message actually terminates
in order to be able to compute where the stealing occurs.
@item GNUTLS_@-CIPHER_@-GOST28147_@-TC26Z_@-CNT
GOST 28147-89 (Magma) cipher in CNT mode with TC26 Z S-box.
@item GNUTLS_@-CIPHER_@-CHACHA20_@-64
Chacha20 cipher with 64-bit nonces and 64-bit block counters.
@item GNUTLS_@-CIPHER_@-CHACHA20_@-32
Chacha20 cipher with 96-bit nonces and 32-bit block counters.
@item GNUTLS_@-CIPHER_@-AES_@-128_@-SIV
AES in SIV mode with 128-bit key.
@item GNUTLS_@-CIPHER_@-AES_@-256_@-SIV
AES in SIV mode with 256-bit key.
Note that the SIV ciphers can only be used with
the AEAD interface, and the IV plays a role as
the authentication tag while it is prepended to
the cipher text.
@item GNUTLS_@-CIPHER_@-AES_@-192_@-GCM
AES in GCM mode with 192-bit keys (AEAD).
@item GNUTLS_@-CIPHER_@-MAGMA_@-CTR_@-ACPKM
GOST R 34.12-2015 (Magma) cipher in CTR-ACPKM mode.
@item GNUTLS_@-CIPHER_@-KUZNYECHIK_@-CTR_@-ACPKM
GOST R 34.12-2015 (Kuznyechik) cipher in CTR-ACPKM mode.
@item GNUTLS_@-CIPHER_@-IDEA_@-PGP_@-CFB
IDEA in CFB mode (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-3DES_@-PGP_@-CFB
3DES in CFB mode (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-CAST5_@-PGP_@-CFB
CAST5 in CFB mode (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-BLOWFISH_@-PGP_@-CFB
Blowfish in CFB mode (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-SAFER_@-SK128_@-PGP_@-CFB
Safer-SK in CFB mode with 128-bit keys (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-AES128_@-PGP_@-CFB
AES in CFB mode with 128-bit keys (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-AES192_@-PGP_@-CFB
AES in CFB mode with 192-bit keys (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-AES256_@-PGP_@-CFB
AES in CFB mode with 256-bit keys (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-TWOFISH_@-PGP_@-CFB
Twofish in CFB mode (placeholder - unsupported).
@end table
@c gnutls_kx_algorithm_t
@table @code
@item GNUTLS_@-KX_@-UNKNOWN
Unknown key-exchange algorithm.
@item GNUTLS_@-KX_@-RSA
RSA key-exchange algorithm.
@item GNUTLS_@-KX_@-DHE_@-DSS
DHE-DSS key-exchange algorithm.
@item GNUTLS_@-KX_@-DHE_@-RSA
DHE-RSA key-exchange algorithm.
@item GNUTLS_@-KX_@-ANON_@-DH
Anon-DH key-exchange algorithm.
@item GNUTLS_@-KX_@-SRP
SRP key-exchange algorithm.
@item GNUTLS_@-KX_@-RSA_@-EXPORT
RSA-EXPORT key-exchange algorithm (defunc).
@item GNUTLS_@-KX_@-SRP_@-RSA
SRP-RSA key-exchange algorithm.
@item GNUTLS_@-KX_@-SRP_@-DSS
SRP-DSS key-exchange algorithm.
@item GNUTLS_@-KX_@-PSK
PSK key-exchange algorithm.
@item GNUTLS_@-KX_@-DHE_@-PSK
DHE-PSK key-exchange algorithm.
@item GNUTLS_@-KX_@-ANON_@-ECDH
Anon-ECDH key-exchange algorithm.
@item GNUTLS_@-KX_@-ECDHE_@-RSA
ECDHE-RSA key-exchange algorithm.
@item GNUTLS_@-KX_@-ECDHE_@-ECDSA
ECDHE-ECDSA key-exchange algorithm.
@item GNUTLS_@-KX_@-ECDHE_@-PSK
ECDHE-PSK key-exchange algorithm.
@item GNUTLS_@-KX_@-RSA_@-PSK
RSA-PSK key-exchange algorithm.
@item GNUTLS_@-KX_@-VKO_@-GOST_@-12
VKO GOST R 34.10-2012 key-exchange algorithm.
@end table
@c gnutls_params_type_t
@table @code
@item GNUTLS_@-PARAMS_@-RSA_@-EXPORT
Session RSA-EXPORT parameters (defunc).
@item GNUTLS_@-PARAMS_@-DH
Session Diffie-Hellman parameters.
@item GNUTLS_@-PARAMS_@-ECDH
Session Elliptic-Curve Diffie-Hellman parameters.
@end table
@c gnutls_credentials_type_t
@table @code
@item GNUTLS_@-CRD_@-CERTIFICATE
Certificate credential.
@item GNUTLS_@-CRD_@-ANON
Anonymous credential.
@item GNUTLS_@-CRD_@-SRP
SRP credential.
@item GNUTLS_@-CRD_@-PSK
PSK credential.
@item GNUTLS_@-CRD_@-IA
IA credential.
@end table
@c gnutls_mac_algorithm_t
@table @code
@item GNUTLS_@-MAC_@-UNKNOWN
Unknown MAC algorithm.
@item GNUTLS_@-MAC_@-NULL
NULL MAC algorithm (empty output).
@item GNUTLS_@-MAC_@-MD5
HMAC-MD5 algorithm.
@item GNUTLS_@-MAC_@-SHA1
HMAC-SHA-1 algorithm.
@item GNUTLS_@-MAC_@-RMD160
HMAC-RMD160 algorithm.
@item GNUTLS_@-MAC_@-MD2
HMAC-MD2 algorithm.
@item GNUTLS_@-MAC_@-SHA256
HMAC-SHA-256 algorithm.
@item GNUTLS_@-MAC_@-SHA384
HMAC-SHA-384 algorithm.
@item GNUTLS_@-MAC_@-SHA512
HMAC-SHA-512 algorithm.
@item GNUTLS_@-MAC_@-SHA224
HMAC-SHA-224 algorithm.
@item GNUTLS_@-MAC_@-SHA3_@-224
Reserved; unimplemented.
@item GNUTLS_@-MAC_@-SHA3_@-256
Reserved; unimplemented.
@item GNUTLS_@-MAC_@-SHA3_@-384
Reserved; unimplemented.
@item GNUTLS_@-MAC_@-SHA3_@-512
Reserved; unimplemented.
@item GNUTLS_@-MAC_@-MD5_@-SHA1
Combined MD5+SHA1 MAC placeholder.
@item GNUTLS_@-MAC_@-GOSTR_@-94
HMAC GOST R 34.11-94 algorithm.
@item GNUTLS_@-MAC_@-STREEBOG_@-256
HMAC GOST R 34.11-2001 (Streebog) algorithm, 256 bit.
@item GNUTLS_@-MAC_@-STREEBOG_@-512
HMAC GOST R 34.11-2001 (Streebog) algorithm, 512 bit.
@item GNUTLS_@-MAC_@-AEAD
MAC implicit through AEAD cipher.
@item GNUTLS_@-MAC_@-UMAC_@-96
The UMAC-96 MAC algorithm (requires nonce).
@item GNUTLS_@-MAC_@-UMAC_@-128
The UMAC-128 MAC algorithm (requires nonce).
@item GNUTLS_@-MAC_@-AES_@-CMAC_@-128
The AES-CMAC-128 MAC algorithm.
@item GNUTLS_@-MAC_@-AES_@-CMAC_@-256
The AES-CMAC-256 MAC algorithm.
@item GNUTLS_@-MAC_@-AES_@-GMAC_@-128
The AES-GMAC-128 MAC algorithm (requires nonce).
@item GNUTLS_@-MAC_@-AES_@-GMAC_@-192
The AES-GMAC-192 MAC algorithm (requires nonce).
@item GNUTLS_@-MAC_@-AES_@-GMAC_@-256
The AES-GMAC-256 MAC algorithm (requires nonce).
@item GNUTLS_@-MAC_@-GOST28147_@-TC26Z_@-IMIT
The GOST 28147-89 working in IMIT mode with TC26 Z S-box.
@item GNUTLS_@-MAC_@-SHAKE_@-128
Reserved; unimplemented.
@item GNUTLS_@-MAC_@-SHAKE_@-256
Reserved; unimplemented.
@item GNUTLS_@-MAC_@-MAGMA_@-OMAC
GOST R 34.12-2015 (Magma) in OMAC (CMAC) mode.
@item GNUTLS_@-MAC_@-KUZNYECHIK_@-OMAC
GOST R 34.12-2015 (Kuznyechik) in OMAC (CMAC) mode.
@end table
@c gnutls_digest_algorithm_t
@table @code
@item GNUTLS_@-DIG_@-UNKNOWN
Unknown hash algorithm.
@item GNUTLS_@-DIG_@-NULL
NULL hash algorithm (empty output).
@item GNUTLS_@-DIG_@-MD5
MD5 algorithm.
@item GNUTLS_@-DIG_@-SHA1
SHA-1 algorithm.
@item GNUTLS_@-DIG_@-RMD160
RMD160 algorithm.
@item GNUTLS_@-DIG_@-MD2
MD2 algorithm.
@item GNUTLS_@-DIG_@-SHA256
SHA-256 algorithm.
@item GNUTLS_@-DIG_@-SHA384
SHA-384 algorithm.
@item GNUTLS_@-DIG_@-SHA512
SHA-512 algorithm.
@item GNUTLS_@-DIG_@-SHA224
SHA-224 algorithm.
@item GNUTLS_@-DIG_@-SHA3_@-224
SHA3-224 algorithm.
@item GNUTLS_@-DIG_@-SHA3_@-256
SHA3-256 algorithm.
@item GNUTLS_@-DIG_@-SHA3_@-384
SHA3-384 algorithm.
@item GNUTLS_@-DIG_@-SHA3_@-512
SHA3-512 algorithm.
@item GNUTLS_@-DIG_@-MD5_@-SHA1
Combined MD5+SHA1 algorithm.
@item GNUTLS_@-DIG_@-GOSTR_@-94
GOST R 34.11-94 algorithm.
@item GNUTLS_@-DIG_@-STREEBOG_@-256
GOST R 34.11-2001 (Streebog) algorithm, 256 bit.
@item GNUTLS_@-DIG_@-STREEBOG_@-512
GOST R 34.11-2001 (Streebog) algorithm, 512 bit.
@item GNUTLS_@-DIG_@-SHAKE_@-128
Reserved; unimplemented.
@item GNUTLS_@-DIG_@-SHAKE_@-256
Reserved; unimplemented.
@end table
@c gnutls_compression_method_t
@table @code
@item GNUTLS_@-COMP_@-UNKNOWN
Unknown compression method.
@item GNUTLS_@-COMP_@-NULL
The NULL compression method (no compression).
@item GNUTLS_@-COMP_@-DEFLATE
The DEFLATE compression method from zlib.
@item GNUTLS_@-COMP_@-ZLIB
Same as @code{GNUTLS_COMP_DEFLATE} .
@item GNUTLS_@-COMP_@-BROTLI
Brotli compression method.
@item GNUTLS_@-COMP_@-ZSTD
Zstandard compression method.
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
@end table
@c gnutls_init_flags_t
@table @code
@item GNUTLS_@-SERVER
Connection end is a server.
@item GNUTLS_@-CLIENT
Connection end is a client.
@item GNUTLS_@-DATAGRAM
Connection is datagram oriented (DTLS). Since 3.0.0.
@item GNUTLS_@-NONBLOCK
Connection should not block. Since 3.0.0.
@item GNUTLS_@-NO_@-EXTENSIONS
Do not enable any TLS extensions by default (since 3.1.2). As TLS 1.2 and later require extensions this option is considered obsolete and should not be used.
@item GNUTLS_@-NO_@-REPLAY_@-PROTECTION
Disable any replay protection in DTLS. This must only be used if replay protection is achieved using other means. Since 3.2.2.
@item GNUTLS_@-NO_@-SIGNAL
In systems where SIGPIPE is delivered on send, it will be disabled. That flag has effect in systems which support the MSG_NOSIGNAL sockets flag (since 3.4.2).
@item GNUTLS_@-ALLOW_@-ID_@-CHANGE
Allow the peer to replace its certificate, or change its ID during a rehandshake. This change is often used in attacks and thus prohibited by default. Since 3.5.0.
@item GNUTLS_@-ENABLE_@-FALSE_@-START
Enable the TLS false start on client side if the negotiated ciphersuites allow it. This will enable sending data prior to the handshake being complete, and may introduce a risk of crypto failure when combined with certain key exchanged; for that GnuTLS may not enable that option in ciphersuites that are known to be not safe for false start. Since 3.5.0.
@item GNUTLS_@-FORCE_@-CLIENT_@-CERT
When in client side and only a single cert is specified, send that certificate irrespective of the issuers expected by the server. Since 3.5.0.
@item GNUTLS_@-NO_@-TICKETS
Flag to indicate that the session should not use resumption with session tickets.
@item GNUTLS_@-KEY_@-SHARE_@-TOP
Generate key share for the first group which is enabled.
For example x25519. This option is the most performant for client (less CPU spent
generating keys), but if the server doesn't support the advertized option it may
result to more roundtrips needed to discover the server's choice.
@item GNUTLS_@-KEY_@-SHARE_@-TOP2
Generate key shares for the top-2 different groups which are enabled.
For example (ECDH + x25519). This is the default.
@item GNUTLS_@-KEY_@-SHARE_@-TOP3
Generate key shares for the top-3 different groups which are enabled.
That is, as each group is associated with a key type (EC, finite field, x25519), generate
three keys using @code{GNUTLS_PK_DH} , @code{GNUTLS_PK_EC} , @code{GNUTLS_PK_ECDH_X25519} if all of them are enabled.
@item GNUTLS_@-POST_@-HANDSHAKE_@-AUTH
Enable post handshake authentication for server and client. When set and
a server requests authentication after handshake @code{GNUTLS_E_REAUTH_REQUEST} will be returned
by @code{gnutls_record_recv()} . A client should then call @code{gnutls_reauth()} to re-authenticate.
@item GNUTLS_@-NO_@-AUTO_@-REKEY
Disable auto-rekeying under TLS1.3. If this option is not specified
gnutls will force a rekey after 2^24 records have been sent.
@item GNUTLS_@-SAFE_@-PADDING_@-CHECK
Flag to indicate that the TLS 1.3 padding check will be done in a
safe way which doesn't leak the pad size based on GnuTLS processing time. This is of use to
applications which hide the length of transferred data via the TLS1.3 padding mechanism and
are already taking steps to hide the data processing time. This comes at a performance
penalty.
@item GNUTLS_@-ENABLE_@-EARLY_@-START
Under TLS1.3 allow the server to return earlier than the full handshake
finish; similarly to false start the handshake will be completed once data are received by the
client, while the server is able to transmit sooner. This is not enabled by default as it could
break certain existing server assumptions and use-cases. Since 3.6.4.
@item GNUTLS_@-ENABLE_@-RAWPK
Allows raw public-keys to be negotiated during the handshake. Since 3.6.6.
@item GNUTLS_@-AUTO_@-REAUTH
Enable transparent re-authentication in client side when the server
requests to. That is, reauthentication is handled within @code{gnutls_record_recv()} , and
the @code{GNUTLS_E_REHANDSHAKE} or @code{GNUTLS_E_REAUTH_REQUEST} are not returned. This must be
enabled with @code{GNUTLS_POST_HANDSHAKE_AUTH} for TLS1.3. Enabling this flag requires to restore
interrupted calls to @code{gnutls_record_recv()} based on the output of @code{gnutls_record_get_direction()} ,
since @code{gnutls_record_recv()} could be interrupted when sending when this flag is enabled.
Note this flag may not be used if you are using the same session for sending and receiving
in different threads.
@item GNUTLS_@-ENABLE_@-EARLY_@-DATA
Under TLS1.3 allow the server to receive early data sent as part of the initial ClientHello (0-RTT).
This can also be used to explicitly indicate that the client will send early data.
This is not enabled by default as early data has weaker security properties than other data. Since 3.6.5.
@item GNUTLS_@-NO_@-AUTO_@-SEND_@-TICKET
Under TLS1.3 disable auto-sending of
session tickets during the handshake.
@item GNUTLS_@-NO_@-END_@-OF_@-EARLY_@-DATA
Under TLS1.3 suppress sending EndOfEarlyData message. Since 3.7.2.
@item GNUTLS_@-NO_@-TICKETS_@-TLS12
Flag to indicate that the session should not use resumption with session tickets. This flag only has effect if TLS 1.2 is used.
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
@end table
@c gnutls_alert_level_t
@table @code
@item GNUTLS_@-AL_@-WARNING
Alert of warning severity.
@item GNUTLS_@-AL_@-FATAL
Alert of fatal severity.
@end table
@c gnutls_alert_description_t
@table @code
@item GNUTLS_@-A_@-CLOSE_@-NOTIFY
Close notify.
@item GNUTLS_@-A_@-UNEXPECTED_@-MESSAGE
Unexpected message.
@item GNUTLS_@-A_@-BAD_@-RECORD_@-MAC
Bad record MAC.
@item GNUTLS_@-A_@-DECRYPTION_@-FAILED
Decryption failed.
@item GNUTLS_@-A_@-RECORD_@-OVERFLOW
Record overflow.
@item GNUTLS_@-A_@-DECOMPRESSION_@-FAILURE
Decompression failed.
@item GNUTLS_@-A_@-HANDSHAKE_@-FAILURE
Handshake failed.
@item GNUTLS_@-A_@-SSL3_@-NO_@-CERTIFICATE
No certificate.
@item GNUTLS_@-A_@-BAD_@-CERTIFICATE
Certificate is bad.
@item GNUTLS_@-A_@-UNSUPPORTED_@-CERTIFICATE
Certificate is not supported.
@item GNUTLS_@-A_@-CERTIFICATE_@-REVOKED
Certificate was revoked.
@item GNUTLS_@-A_@-CERTIFICATE_@-EXPIRED
Certificate is expired.
@item GNUTLS_@-A_@-CERTIFICATE_@-UNKNOWN
Unknown certificate.
@item GNUTLS_@-A_@-ILLEGAL_@-PARAMETER
Illegal parameter.
@item GNUTLS_@-A_@-UNKNOWN_@-CA
CA is unknown.
@item GNUTLS_@-A_@-ACCESS_@-DENIED
Access was denied.
@item GNUTLS_@-A_@-DECODE_@-ERROR
Decode error.
@item GNUTLS_@-A_@-DECRYPT_@-ERROR
Decrypt error.
@item GNUTLS_@-A_@-EXPORT_@-RESTRICTION
Export restriction.
@item GNUTLS_@-A_@-PROTOCOL_@-VERSION
Error in protocol version.
@item GNUTLS_@-A_@-INSUFFICIENT_@-SECURITY
Insufficient security.
@item GNUTLS_@-A_@-INTERNAL_@-ERROR
Internal error.
@item GNUTLS_@-A_@-INAPPROPRIATE_@-FALLBACK
Inappropriate fallback,
@item GNUTLS_@-A_@-USER_@-CANCELED
User canceled.
@item GNUTLS_@-A_@-NO_@-RENEGOTIATION
No renegotiation is allowed.
@item GNUTLS_@-A_@-MISSING_@-EXTENSION
An extension was expected but was not seen
@item GNUTLS_@-A_@-UNSUPPORTED_@-EXTENSION
An unsupported extension was
sent.
@item GNUTLS_@-A_@-CERTIFICATE_@-UNOBTAINABLE
Could not retrieve the
specified certificate.
@item GNUTLS_@-A_@-UNRECOGNIZED_@-NAME
The server name sent was not
recognized.
@item GNUTLS_@-A_@-UNKNOWN_@-PSK_@-IDENTITY
The SRP/PSK username is missing
or not known.
@item GNUTLS_@-A_@-CERTIFICATE_@-REQUIRED
Certificate is required.
@item GNUTLS_@-A_@-NO_@-APPLICATION_@-PROTOCOL
The ALPN protocol requested is
not supported by the peer.
@item GNUTLS_@-A_@-MAX
-- undescribed --
@end table
@c gnutls_handshake_description_t
@table @code
@item GNUTLS_@-HANDSHAKE_@-HELLO_@-REQUEST
Hello request.
@item GNUTLS_@-HANDSHAKE_@-CLIENT_@-HELLO
Client hello.
@item GNUTLS_@-HANDSHAKE_@-SERVER_@-HELLO
Server hello.
@item GNUTLS_@-HANDSHAKE_@-HELLO_@-VERIFY_@-REQUEST
DTLS Hello verify request.
@item GNUTLS_@-HANDSHAKE_@-NEW_@-SESSION_@-TICKET
New session ticket.
@item GNUTLS_@-HANDSHAKE_@-END_@-OF_@-EARLY_@-DATA
End of early data.
@item GNUTLS_@-HANDSHAKE_@-ENCRYPTED_@-EXTENSIONS
Encrypted extensions message.
@item GNUTLS_@-HANDSHAKE_@-CERTIFICATE_@-PKT
Certificate packet.
@item GNUTLS_@-HANDSHAKE_@-SERVER_@-KEY_@-EXCHANGE
Server key exchange.
@item GNUTLS_@-HANDSHAKE_@-CERTIFICATE_@-REQUEST
Certificate request.
@item GNUTLS_@-HANDSHAKE_@-SERVER_@-HELLO_@-DONE
Server hello done.
@item GNUTLS_@-HANDSHAKE_@-CERTIFICATE_@-VERIFY
Certificate verify.
@item GNUTLS_@-HANDSHAKE_@-CLIENT_@-KEY_@-EXCHANGE
Client key exchange.
@item GNUTLS_@-HANDSHAKE_@-FINISHED
Finished.
@item GNUTLS_@-HANDSHAKE_@-CERTIFICATE_@-STATUS
Certificate status (OCSP).
@item GNUTLS_@-HANDSHAKE_@-SUPPLEMENTAL
Supplemental.
@item GNUTLS_@-HANDSHAKE_@-KEY_@-UPDATE
TLS1.3 key update message.
@item GNUTLS_@-HANDSHAKE_@-COMPRESSED_@-CERTIFICATE_@-PKT
Compressed certificate packet.
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
@item GNUTLS_@-HANDSHAKE_@-CHANGE_@-CIPHER_@-SPEC
Change Cipher Spec.
@item GNUTLS_@-HANDSHAKE_@-CLIENT_@-HELLO_@-V2
SSLv2 Client Hello.
@item GNUTLS_@-HANDSHAKE_@-HELLO_@-RETRY_@-REQUEST
Hello retry request.
@end table
@c gnutls_certificate_status_t
@table @code
@item GNUTLS_@-CERT_@-INVALID
The certificate is not signed by one of the
known authorities or the signature is invalid (deprecated by the flags
@code{GNUTLS_CERT_SIGNATURE_FAILURE} and @code{GNUTLS_CERT_SIGNER_NOT_FOUND} ).
@item GNUTLS_@-CERT_@-REVOKED
Certificate is revoked by its authority. In X.509 this will be
set only if CRLs are checked.
@item GNUTLS_@-CERT_@-SIGNER_@-NOT_@-FOUND
The certificate's issuer is not known.
This is the case if the issuer is not included in the trusted certificate list.
@item GNUTLS_@-CERT_@-SIGNER_@-NOT_@-CA
The certificate's signer was not a CA. This
may happen if this was a version 1 certificate, which is common with
some CAs, or a version 3 certificate without the basic constrains extension.
@item GNUTLS_@-CERT_@-INSECURE_@-ALGORITHM
The certificate was signed using an insecure
algorithm such as MD2 or MD5. These algorithms have been broken and
should not be trusted.
@item GNUTLS_@-CERT_@-NOT_@-ACTIVATED
The certificate is not yet activated.
@item GNUTLS_@-CERT_@-EXPIRED
The certificate has expired.
@item GNUTLS_@-CERT_@-SIGNATURE_@-FAILURE
The signature verification failed.
@item GNUTLS_@-CERT_@-REVOCATION_@-DATA_@-SUPERSEDED
The revocation data are old and have been superseded.
@item GNUTLS_@-CERT_@-UNEXPECTED_@-OWNER
The owner is not the expected one.
@item GNUTLS_@-CERT_@-REVOCATION_@-DATA_@-ISSUED_@-IN_@-FUTURE
The revocation data have a future issue date.
@item GNUTLS_@-CERT_@-SIGNER_@-CONSTRAINTS_@-FAILURE
The certificate's signer constraints were
violated.
@item GNUTLS_@-CERT_@-MISMATCH
The certificate presented isn't the expected one (TOFU)
@item GNUTLS_@-CERT_@-PURPOSE_@-MISMATCH
The certificate or an intermediate does not match the intended purpose (extended key usage).
@item GNUTLS_@-CERT_@-MISSING_@-OCSP_@-STATUS
The certificate requires the server to send the certificate status, but no status was received.
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
@item GNUTLS_@-CERT_@-INVALID_@-OCSP_@-STATUS
The received OCSP status response is invalid.
@item GNUTLS_@-CERT_@-UNKNOWN_@-CRIT_@-EXTENSIONS
The certificate has extensions marked as critical which are not supported.
@end table
@c gnutls_certificate_request_t
@table @code
@item GNUTLS_@-CERT_@-IGNORE
Ignore certificate.
@item GNUTLS_@-CERT_@-REQUEST
Request certificate.
@item GNUTLS_@-CERT_@-REQUIRE
Require certificate.
@end table
@c gnutls_openpgp_crt_status_t
@table @code
@item GNUTLS_@-OPENPGP_@-CERT
Send entire certificate.
@item GNUTLS_@-OPENPGP_@-CERT_@-FINGERPRINT
Send only certificate fingerprint.
@end table
@c gnutls_close_request_t
@table @code
@item GNUTLS_@-SHUT_@-RDWR
Disallow further receives/sends.
@item GNUTLS_@-SHUT_@-WR
Disallow further sends.
@end table
@c gnutls_protocol_t
@table @code
@item GNUTLS_@-SSL3
SSL version 3.0.
@item GNUTLS_@-TLS1_@-0
TLS version 1.0.
@item GNUTLS_@-TLS1
Same as @code{GNUTLS_TLS1_0} .
@item GNUTLS_@-TLS1_@-1
TLS version 1.1.
@item GNUTLS_@-TLS1_@-2
TLS version 1.2.
@item GNUTLS_@-TLS1_@-3
TLS version 1.3.
@item GNUTLS_@-DTLS0_@-9
DTLS version 0.9 (Cisco AnyConnect / OpenSSL 0.9.8e).
@item GNUTLS_@-DTLS1_@-0
DTLS version 1.0.
@item GNUTLS_@-DTLS1_@-2
DTLS version 1.2.
@item GNUTLS_@-DTLS_@-VERSION_@-MIN
-- undescribed --
@item GNUTLS_@-DTLS_@-VERSION_@-MAX
Maps to the highest supported DTLS version.
@item GNUTLS_@-TLS_@-VERSION_@-MAX
Maps to the highest supported TLS version.
@item GNUTLS_@-VERSION_@-UNKNOWN
Unknown SSL/TLS version.
@end table
@c gnutls_certificate_type_t
@table @code
@item GNUTLS_@-CRT_@-UNKNOWN
Unknown certificate type.
@item GNUTLS_@-CRT_@-X509
X.509 Certificate.
@item GNUTLS_@-CRT_@-OPENPGP
OpenPGP certificate.
@item GNUTLS_@-CRT_@-RAWPK
Raw public-key (SubjectPublicKeyInfo)
@item GNUTLS_@-CRT_@-MAX
-- undescribed --
@end table
@c gnutls_x509_crt_fmt_t
@table @code
@item GNUTLS_@-X509_@-FMT_@-DER
X.509 certificate in DER format (binary).
@item GNUTLS_@-X509_@-FMT_@-PEM
X.509 certificate in PEM format (text).
@end table
@c gnutls_certificate_print_formats_t
@table @code
@item GNUTLS_@-CRT_@-PRINT_@-FULL
Full information about certificate.
@item GNUTLS_@-CRT_@-PRINT_@-ONELINE
Information about certificate in one line.
@item GNUTLS_@-CRT_@-PRINT_@-UNSIGNED_@-FULL
All info for an unsigned certificate.
@item GNUTLS_@-CRT_@-PRINT_@-COMPACT
Information about certificate name in one line, plus identification of the public key.
@item GNUTLS_@-CRT_@-PRINT_@-FULL_@-NUMBERS
Full information about certificate and include easy to parse public key parameters.
@end table
@c gnutls_pk_algorithm_t
@table @code
@item GNUTLS_@-PK_@-UNKNOWN
Unknown public-key algorithm.
@item GNUTLS_@-PK_@-RSA
RSA public-key algorithm.
@item GNUTLS_@-PK_@-DSA
DSA public-key algorithm.
@item GNUTLS_@-PK_@-DH
Diffie-Hellman algorithm. Used to generate parameters.
@item GNUTLS_@-PK_@-ECDSA
Elliptic curve algorithm. These parameters are compatible with the ECDSA and ECDH algorithm.
@item GNUTLS_@-PK_@-ECDH_@-X25519
Elliptic curve algorithm, restricted to ECDH as per rfc7748.
@item GNUTLS_@-PK_@-RSA_@-PSS
RSA public-key algorithm, with PSS padding.
@item GNUTLS_@-PK_@-EDDSA_@-ED25519
Edwards curve Digital signature algorithm. Used with SHA512 on signatures.
@item GNUTLS_@-PK_@-GOST_@-01
GOST R 34.10-2001 algorithm per rfc5832.
@item GNUTLS_@-PK_@-GOST_@-12_@-256
GOST R 34.10-2012 algorithm, 256-bit key per rfc7091.
@item GNUTLS_@-PK_@-GOST_@-12_@-512
GOST R 34.10-2012 algorithm, 512-bit key per rfc7091.
@item GNUTLS_@-PK_@-ECDH_@-X448
Elliptic curve algorithm, restricted to ECDH as per rfc7748.
@item GNUTLS_@-PK_@-EDDSA_@-ED448
Edwards curve Digital signature algorithm. Used with SHAKE256 on signatures.
@item GNUTLS_@-PK_@-MAX
-- undescribed --
@end table
@c gnutls_sign_algorithm_t
@table @code
@item GNUTLS_@-SIGN_@-UNKNOWN
Unknown signature algorithm.
@item GNUTLS_@-SIGN_@-RSA_@-SHA1
Digital signature algorithm RSA with SHA-1
@item GNUTLS_@-SIGN_@-RSA_@-SHA
Same as @code{GNUTLS_SIGN_RSA_SHA1} .
@item GNUTLS_@-SIGN_@-DSA_@-SHA1
Digital signature algorithm DSA with SHA-1
@item GNUTLS_@-SIGN_@-DSA_@-SHA
Same as @code{GNUTLS_SIGN_DSA_SHA1} .
@item GNUTLS_@-SIGN_@-RSA_@-MD5
Digital signature algorithm RSA with MD5.
@item GNUTLS_@-SIGN_@-RSA_@-MD2
Digital signature algorithm RSA with MD2.
@item GNUTLS_@-SIGN_@-RSA_@-RMD160
Digital signature algorithm RSA with RMD-160.
@item GNUTLS_@-SIGN_@-RSA_@-SHA256
Digital signature algorithm RSA with SHA-256.
@item GNUTLS_@-SIGN_@-RSA_@-SHA384
Digital signature algorithm RSA with SHA-384.
@item GNUTLS_@-SIGN_@-RSA_@-SHA512
Digital signature algorithm RSA with SHA-512.
@item GNUTLS_@-SIGN_@-RSA_@-SHA224
Digital signature algorithm RSA with SHA-224.
@item GNUTLS_@-SIGN_@-DSA_@-SHA224
Digital signature algorithm DSA with SHA-224
@item GNUTLS_@-SIGN_@-DSA_@-SHA256
Digital signature algorithm DSA with SHA-256
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA1
ECDSA with SHA1.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA224
Digital signature algorithm ECDSA with SHA-224.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA256
Digital signature algorithm ECDSA with SHA-256.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA384
Digital signature algorithm ECDSA with SHA-384.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA512
Digital signature algorithm ECDSA with SHA-512.
@item GNUTLS_@-SIGN_@-DSA_@-SHA384
Digital signature algorithm DSA with SHA-384
@item GNUTLS_@-SIGN_@-DSA_@-SHA512
Digital signature algorithm DSA with SHA-512
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA3_@-224
Digital signature algorithm ECDSA with SHA3-224.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA3_@-256
Digital signature algorithm ECDSA with SHA3-256.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA3_@-384
Digital signature algorithm ECDSA with SHA3-384.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA3_@-512
Digital signature algorithm ECDSA with SHA3-512.
@item GNUTLS_@-SIGN_@-DSA_@-SHA3_@-224
Digital signature algorithm DSA with SHA3-224.
@item GNUTLS_@-SIGN_@-DSA_@-SHA3_@-256
Digital signature algorithm DSA with SHA3-256.
@item GNUTLS_@-SIGN_@-DSA_@-SHA3_@-384
Digital signature algorithm DSA with SHA3-384.
@item GNUTLS_@-SIGN_@-DSA_@-SHA3_@-512
Digital signature algorithm DSA with SHA3-512.
@item GNUTLS_@-SIGN_@-RSA_@-SHA3_@-224
Digital signature algorithm RSA with SHA3-224.
@item GNUTLS_@-SIGN_@-RSA_@-SHA3_@-256
Digital signature algorithm RSA with SHA3-256.
@item GNUTLS_@-SIGN_@-RSA_@-SHA3_@-384
Digital signature algorithm RSA with SHA3-384.
@item GNUTLS_@-SIGN_@-RSA_@-SHA3_@-512
Digital signature algorithm RSA with SHA3-512.
@item GNUTLS_@-SIGN_@-RSA_@-PSS_@-SHA256
Digital signature algorithm RSA with SHA-256, with PSS padding (RSA-PSS certificate).
@item GNUTLS_@-SIGN_@-RSA_@-PSS_@-SHA384
Digital signature algorithm RSA with SHA-384, with PSS padding (RSA-PSS certificate).
@item GNUTLS_@-SIGN_@-RSA_@-PSS_@-SHA512
Digital signature algorithm RSA with SHA-512, with PSS padding (RSA-PSS certificate).
@item GNUTLS_@-SIGN_@-EDDSA_@-ED25519
Digital signature algorithm EdDSA with Ed25519 curve.
@item GNUTLS_@-SIGN_@-RSA_@-RAW
Digital signature algorithm RSA with DigestInfo formatted data
@item GNUTLS_@-SIGN_@-ECDSA_@-SECP256R1_@-SHA256
Digital signature algorithm ECDSA-SECP256R1 with SHA-256 (used in TLS 1.3 but not PKIX).
@item GNUTLS_@-SIGN_@-ECDSA_@-SECP384R1_@-SHA384
Digital signature algorithm ECDSA-SECP384R1 with SHA-384 (used in TLS 1.3 but not PKIX).
@item GNUTLS_@-SIGN_@-ECDSA_@-SECP521R1_@-SHA512
Digital signature algorithm ECDSA-SECP521R1 with SHA-512 (used in TLS 1.3 but not PKIX).
@item GNUTLS_@-SIGN_@-RSA_@-PSS_@-RSAE_@-SHA256
Digital signature algorithm RSA with SHA-256,
with PSS padding (RSA PKCS@code{1} 1.5 certificate). This signature is identical
to @code{GNUTLS_SIGN_RSA_PSS_SHA256} , but they are distinct as the TLS1.3 protocol
treats them differently.
@item GNUTLS_@-SIGN_@-RSA_@-PSS_@-RSAE_@-SHA384
Digital signature algorithm RSA with SHA-384,
with PSS padding (RSA PKCS@code{1} 1.5 certificate). This signature is identical
to @code{GNUTLS_SIGN_RSA_PSS_SHA384} , but they are distinct as the TLS1.3 protocol
treats them differently.
@item GNUTLS_@-SIGN_@-RSA_@-PSS_@-RSAE_@-SHA512
Digital signature algorithm RSA with SHA-512,
with PSS padding (RSA PKCS@code{1} 1.5 certificate). This signature is identical
to @code{GNUTLS_SIGN_RSA_PSS_SHA512} , but they are distinct as the TLS1.3 protocol
treats them differently.
@item GNUTLS_@-SIGN_@-GOST_@-94
Digital signature algorithm GOST R 34.10-2001 with GOST R 34.11-94
@item GNUTLS_@-SIGN_@-GOST_@-256
Digital signature algorithm GOST R 34.10-2012 with GOST R 34.11-2012 256 bit
@item GNUTLS_@-SIGN_@-GOST_@-512
Digital signature algorithm GOST R 34.10-2012 with GOST R 34.11-2012 512 bit
@item GNUTLS_@-SIGN_@-EDDSA_@-ED448
Digital signature algorithm EdDSA with Ed448 curve.
@item GNUTLS_@-SIGN_@-MAX
-- undescribed --
@end table
@c gnutls_ecc_curve_t
@table @code
@item GNUTLS_@-ECC_@-CURVE_@-INVALID
Cannot be known
@item GNUTLS_@-ECC_@-CURVE_@-SECP224R1
the SECP224R1 curve
@item GNUTLS_@-ECC_@-CURVE_@-SECP256R1
the SECP256R1 curve
@item GNUTLS_@-ECC_@-CURVE_@-SECP384R1
the SECP384R1 curve
@item GNUTLS_@-ECC_@-CURVE_@-SECP521R1
the SECP521R1 curve
@item GNUTLS_@-ECC_@-CURVE_@-SECP192R1
the SECP192R1 curve
@item GNUTLS_@-ECC_@-CURVE_@-X25519
the X25519 curve (ECDH only)
@item GNUTLS_@-ECC_@-CURVE_@-ED25519
the Ed25519 curve
@item GNUTLS_@-ECC_@-CURVE_@-GOST256CPA
GOST R 34.10 CryptoPro 256 A curve
@item GNUTLS_@-ECC_@-CURVE_@-GOST256CPB
GOST R 34.10 CryptoPro 256 B curve
@item GNUTLS_@-ECC_@-CURVE_@-GOST256CPC
GOST R 34.10 CryptoPro 256 C curve
@item GNUTLS_@-ECC_@-CURVE_@-GOST256CPXA
GOST R 34.10 CryptoPro 256 XchA curve
@item GNUTLS_@-ECC_@-CURVE_@-GOST256CPXB
GOST R 34.10 CryptoPro 256 XchB curve
@item GNUTLS_@-ECC_@-CURVE_@-GOST512A
GOST R 34.10 TC26 512 A curve
@item GNUTLS_@-ECC_@-CURVE_@-GOST512B
GOST R 34.10 TC26 512 B curve
@item GNUTLS_@-ECC_@-CURVE_@-GOST512C
GOST R 34.10 TC26 512 C curve
@item GNUTLS_@-ECC_@-CURVE_@-GOST256A
GOST R 34.10 TC26 256 A curve
@item GNUTLS_@-ECC_@-CURVE_@-GOST256B
GOST R 34.10 TC26 256 B curve
@item GNUTLS_@-ECC_@-CURVE_@-GOST256C
GOST R 34.10 TC26 256 C curve
@item GNUTLS_@-ECC_@-CURVE_@-GOST256D
GOST R 34.10 TC26 256 D curve
@item GNUTLS_@-ECC_@-CURVE_@-X448
the X448 curve (ECDH only)
@item GNUTLS_@-ECC_@-CURVE_@-ED448
the Ed448 curve
@item GNUTLS_@-ECC_@-CURVE_@-MAX
-- undescribed --
@end table
@c gnutls_group_t
@table @code
@item GNUTLS_@-GROUP_@-INVALID
Indicates unknown/invalid group
@item GNUTLS_@-GROUP_@-SECP192R1
the SECP192R1 curve group (legacy, only for TLS 1.2 compatibility)
@item GNUTLS_@-GROUP_@-SECP224R1
the SECP224R1 curve group (legacy, only for TLS 1.2 compatibility)
@item GNUTLS_@-GROUP_@-SECP256R1
the SECP256R1 curve group
@item GNUTLS_@-GROUP_@-SECP384R1
the SECP384R1 curve group
@item GNUTLS_@-GROUP_@-SECP521R1
the SECP521R1 curve group
@item GNUTLS_@-GROUP_@-X25519
the X25519 curve group
@item GNUTLS_@-GROUP_@-X448
the X448 curve group
@item GNUTLS_@-GROUP_@-GC256A
the GOST R 34.10 TC26 256 A curve group
@item GNUTLS_@-GROUP_@-GC256B
the GOST R 34.10 TC26 256 B curve group
@item GNUTLS_@-GROUP_@-GC256C
the GOST R 34.10 TC26 256 C curve group
@item GNUTLS_@-GROUP_@-GC256D
the GOST R 34.10 TC26 256 D curve group
@item GNUTLS_@-GROUP_@-GC512A
the GOST R 34.10 TC26 512 A curve group
@item GNUTLS_@-GROUP_@-GC512B
the GOST R 34.10 TC26 512 B curve group
@item GNUTLS_@-GROUP_@-GC512C
the GOST R 34.10 TC26 512 C curve group
@item GNUTLS_@-GROUP_@-FFDHE2048
the FFDHE2048 group
@item GNUTLS_@-GROUP_@-FFDHE3072
the FFDHE3072 group
@item GNUTLS_@-GROUP_@-FFDHE4096
the FFDHE4096 group
@item GNUTLS_@-GROUP_@-FFDHE8192
the FFDHE8192 group
@item GNUTLS_@-GROUP_@-FFDHE6144
the FFDHE6144 group
@item GNUTLS_@-GROUP_@-MAX
-- undescribed --
@end table
@c gnutls_sec_param_t
@table @code
@item GNUTLS_@-SEC_@-PARAM_@-UNKNOWN
Cannot be known
@item GNUTLS_@-SEC_@-PARAM_@-INSECURE
Less than 42 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-EXPORT
42 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-VERY_@-WEAK
64 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-WEAK
72 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-LOW
80 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-LEGACY
96 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-MEDIUM
112 bits of security (used to be @code{GNUTLS_SEC_PARAM_NORMAL} )
@item GNUTLS_@-SEC_@-PARAM_@-HIGH
128 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-ULTRA
192 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-FUTURE
256 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-MAX
-- undescribed --
@end table
@c gnutls_channel_binding_t
@table @code
@item GNUTLS_@-CB_@-TLS_@-UNIQUE
"tls-unique" (RFC 5929) channel binding
@item GNUTLS_@-CB_@-TLS_@-SERVER_@-END_@-POINT
"tls-server-end-point" (RFC 5929) channel binding
@item GNUTLS_@-CB_@-TLS_@-EXPORTER
"tls-exporter" (RFC 9266) channel binding
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
@end table
@c gnutls_gost_paramset_t
@table @code
@item GNUTLS_@-GOST_@-PARAMSET_@-UNKNOWN
Unknown/default parameter set
@item GNUTLS_@-GOST_@-PARAMSET_@-TC26_@-Z
Specified by TC26, see rfc7836
@item GNUTLS_@-GOST_@-PARAMSET_@-CP_@-A
CryptoPro-A, see rfc4357
@item GNUTLS_@-GOST_@-PARAMSET_@-CP_@-B
CryptoPro-B, see rfc4357
@item GNUTLS_@-GOST_@-PARAMSET_@-CP_@-C
CryptoPro-C, see rfc4357
@item GNUTLS_@-GOST_@-PARAMSET_@-CP_@-D
CryptoPro-D, see rfc4357
@end table
@c gnutls_ctype_target_t
@table @code
@item GNUTLS_@-CTYPE_@-CLIENT
for requesting client certificate type values.
@item GNUTLS_@-CTYPE_@-SERVER
for requesting server certificate type values.
@item GNUTLS_@-CTYPE_@-OURS
for requesting our certificate type values.
@item GNUTLS_@-CTYPE_@-PEERS
for requesting the peers' certificate type values.
@end table
@c gnutls_server_name_type_t
@table @code
@item GNUTLS_@-NAME_@-DNS
Domain Name System name type.
@end table
@c gnutls_session_flags_t
@table @code
@item GNUTLS_@-SFLAGS_@-SAFE_@-RENEGOTIATION
Safe renegotiation (RFC5746) was used
@item GNUTLS_@-SFLAGS_@-EXT_@-MASTER_@-SECRET
The extended master secret (RFC7627) extension was used
@item GNUTLS_@-SFLAGS_@-ETM
The encrypt then MAC (RFC7366) extension was used
@item GNUTLS_@-SFLAGS_@-HB_@-LOCAL_@-SEND
The heartbeat negotiation allows the local side to send heartbeat messages
@item GNUTLS_@-SFLAGS_@-HB_@-PEER_@-SEND
The heartbeat negotiation allows the peer to send heartbeat messages
@item GNUTLS_@-SFLAGS_@-FALSE_@-START
False start was used in this client session.
@item GNUTLS_@-SFLAGS_@-RFC7919
The RFC7919 Diffie-Hellman parameters were negotiated
@item GNUTLS_@-SFLAGS_@-SESSION_@-TICKET
A session ticket has been received by the server.
@item GNUTLS_@-SFLAGS_@-POST_@-HANDSHAKE_@-AUTH
Indicates client capability for post-handshake auth; set only on server side.
@item GNUTLS_@-SFLAGS_@-EARLY_@-START
The TLS1.3 server session returned early.
@item GNUTLS_@-SFLAGS_@-EARLY_@-DATA
The TLS1.3 early data has been received by the server.
@item GNUTLS_@-SFLAGS_@-CLI_@-REQUESTED_@-OCSP
Set when the client has requested OCSP staple during handshake.
@item GNUTLS_@-SFLAGS_@-SERV_@-REQUESTED_@-OCSP
Set when the server has requested OCSP staple during handshake.
@end table
@c gnutls_supplemental_data_format_type_t
@table @code
@item GNUTLS_@-SUPPLEMENTAL_@-UNKNOWN
Unknown data format
@end table
@c gnutls_srtp_profile_t
@table @code
@item GNUTLS_@-SRTP_@-AES128_@-CM_@-HMAC_@-SHA1_@-80