This documentation is for version v1.3.0 of NNG, but the latest released version is v1.8.0. see the documentation for v1.8.0 for the most up-to-date information.


#include <nng/nng.h>

#define NNG_OPT_TLS_AUTH_MODE     "tls-authmode"
#define NNG_OPT_TLS_CA_FILE       "tls-ca-file"
#define NNG_OPT_TLS_CERT_KEY_FILE "tls-cert-key-file"
#define NNG_OPT_TLS_CONFIG        "tls-config"
#define NNG_OPT_TLS_SERVER_NAME   "tls-server-name"
#define NNG_OPT_TLS_VERIFIED      "tls-verified"


This page documents the various standard options that can be set or retrieved on objects using TLS in the nng library.

The option names should always be used by their symbolic definitions.

In the following list of options, the name of the option is supplied, along with the data type of the underlying value.

Some options are only meaningful or supported in certain contexts, or may have other access restrictions. An attempt has been made to include details about such restrictions in the description of the option.

TLS Options


(int) Write-only option used to configure the authentication mode used. See nng_tls_config_auth_mode() for more details.


(string) Write-only option naming a file containing certificates to use for peer validation. See nng_tls_config_ca_file() for more information.


(string) Write-only option naming a file containing the local certificate and associated private key. The private key used must be unencrypted. See nng_tls_config_own_cert() for more information.


(nng_tls_config *) This option references the underlying TLS configuration object. A hold is placed on the underlying configuration object before returning it.

The caller should release the hold with nng_tls_config_free() when it no longer needs the TLS configuration object.
Use this option when more advanced TLS configuration is required.

(string) This write-only option is used to specify the name of the server. When used with a dialer, this potentially configures SNI (server name indication, which is used as a hint by a multihosting server to choose the appropriate certificate to provide) and also is used to validate the name presented in the server’s x509 certificate.


(bool) This read-only option indicates whether the remote peer has been properly verified using TLS authentication. May return incorrect results if peer authentication is disabled.

Inherited Options

Generally, the following option values are also available for TLS objects, when appropriate for the context: