+static int tls_negociate(job_t *w)
+{
+ static int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
+
+ if (gnutls_certificate_allocate_credentials(&w->xcred) < 0)
+ return -1;
+
+ /* ignore errors, maybe file doesn't exist yet */
+ gnutls_certificate_set_x509_trust_file(w->xcred, mod_ssl.cert_file,
+ GNUTLS_X509_FMT_PEM);
+
+ if (mod_ssl.ca_certificates_file) {
+ gnutls_certificate_set_x509_trust_file(w->xcred,
+ mod_ssl.ca_certificates_file, GNUTLS_X509_FMT_PEM);
+ }
+ gnutls_init(&w->session, GNUTLS_CLIENT);
+
+ /* set socket */
+ gnutls_transport_set_ptr(w->session, (gnutls_transport_ptr)(intptr_t)w->fd);
+
+ /* disable TLS/SSL protocols as needed */
+ if (!mod_ssl.use_sslv3) {
+ protocol_priority[1] = 0;
+ }
+
+ /* We use default priorities (see gnutls documentation),
+ except for protocol version */
+ gnutls_set_default_priority(w->session);
+ gnutls_protocol_set_priority(w->session, protocol_priority);
+ gnutls_credentials_set(w->session, GNUTLS_CRD_CERTIFICATE, w->xcred);
+ return 0;
+}
+