Everything TLS Related

libsoup comes with TLS support provided by glib-networking. This has multiple backends including gnutls (default on all platforms), SChannel on Windows, or OpenSSL.

Accepting Invalid or Pinned Certificates

This makes use of the SoupMessage::accept-certificate signal.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
static gboolean
accept_certificate_callback (SoupMessage *msg, GTlsCertificate *certificate,
                             GTlsCertificateFlags tls_errors, gpointer user_data)
{
    // Here you can inspect @certificate or compare it against a trusted one
    // and you can see what is considered invalid by @tls_errors.
    // Returning TRUE trusts it anyway.
    return TRUE;
}

int main (int argc, char **argv)
{
    SoupSession *session = soup_session_new ();
    SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "https://example.org");
    g_signal_connect (msg, "accept-certificate", G_CALLBACK (accept_certificate_callback), NULL);
    GInputStream *in_stream = soup_session_send (session, msg, NULL, NULL);

    if (in_stream) {
        g_object_unref (in_stream);
    }

    return 0;
}

Setting a Custom CA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
    GError *error = NULL;
    // NOTE: This is blocking IO
    GTlsDatabase *tls_db = g_tls_file_database_new ("/foo/ca.pem", &error);

    if (error) {
        g_printerr ("Failed to load certificates: %s\n", error->message);
        g_error_free (error);
        return;
    }

    SoupSession *session = soup_session_new_with_options ("tls-database", tls_db, NULL);
    g_object_unref (tls_db);
}

Using Client Certificates

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
// We must create a custom GTlsInteraction so lets do that inline
typedef struct _GetTlsCertInteraction        GetTlsCertInteraction;
typedef struct _GetTlsCertInteractionClass   GetTlsCertInteractionClass;

static GType                    _get_tls_cert_interaction_get_type    (void) G_GNUC_CONST;
static GetTlsCertInteraction *  _get_tls_cert_interaction_new         (GTlsCertificate *cert);

struct _GetTlsCertInteraction
{
	GTlsInteraction parent_instance;
	GTlsCertificate *cert;
};

struct _GetTlsCertInteractionClass
{
	GTlsInteractionClass parent_class;
};

G_DEFINE_TYPE (GetTlsCertInteraction, _get_tls_cert_interaction, G_TYPE_TLS_INTERACTION);

static GTlsInteractionResult
request_certificate (GTlsInteraction              *interaction,
                     GTlsConnection               *connection,
                     GTlsCertificateRequestFlags   flags,
                     GCancellable                 *cancellable,
                     GError                      **error)
{
	GetTlsCertInteraction *self = (GetTlsCertInteraction*)interaction;
	g_tls_connection_set_certificate (connection, self->cert);
	return G_TLS_INTERACTION_HANDLED;
}

static void
_get_tls_cert_interaction_init (GetTlsCertInteraction *interaction)
{
}

static void
_get_tls_cert_interaction_class_init (GetTlsCertInteractionClass *klass)
{
	GTlsInteractionClass *interaction_class = G_TLS_INTERACTION_CLASS (klass);
	interaction_class->request_certificate = request_certificate;
}

GetTlsCertInteraction *
_get_tls_cert_interaction_new (GTlsCertificate *cert)
{
	GetTlsCertInteraction *self = g_object_new (_get_tls_cert_interaction_get_type (), NULL);
	self->cert = g_object_ref (cert);
	return self;
}

int main (int argc, char **argv)
{
    GError *error = NULL;
    GTlsCertificate *client_cert = g_tls_certificate_new_from_file ("/foo/cert.pem", &error);

    if (error) {
        g_printerr ("Failed to load certificate: %s\n", error->message);
        g_error_free (error);
        return 1;
    }

    GTlsInteraction *interaction = _get_tls_cert_interaction_new (cert);
    SoupSession *session = soup_session_new_with_options ("tls-interaction", interaction, NULL);

    // Send a message

    g_object_unref (interaction);
    g_object_unref (client_cert);
    return 0;
}