2 files changed, 21 insertions, 0 deletions

diff --git a/include/nng/nng.h b/include/nng/nng.h
index 811cb456..5bb320b6 100644
--- a/include/nng/nng.h
+++ b/include/nng/nng.h
@@ -755,6 +755,19 @@ NNG_DECL nng_listener nng_pipe_listener(nng_pipe);
 // peer authentication is disabled with `NNG_TLS_AUTH_MODE_NONE`.
 #define NNG_OPT_TLS_VERIFIED "tls-verified"
 
+// NNG_OPT_TLS_PEER_CN returns the string with the common name
+// of the peer certificate. Typically this is read-only and
+// only available for pipes. This option may return incorrect results if
+// peer authentication is disabled with `NNG_TLS_AUTH_MODE_NONE`.
+#define NNG_OPT_TLS_PEER_CN "tls-peer-cn"
+
+// NNG_OPT_TLS_PEER_ALT_NAMES returns string list with the
+// subject alternative names of the peer certificate. Typically this is
+// read-only and only available for pipes. This option may return
+// incorrect results if peer authentication is disabled with
+// `NNG_TLS_AUTH_MODE_NONE`.
+#define NNG_OPT_TLS_PEER_ALT_NAMES "tls-peer-alt-names"
+
 // TCP options.  These may be supported on various transports that use
 // TCP underneath such as TLS, or not.
 
diff --git a/include/nng/supplemental/tls/engine.h b/include/nng/supplemental/tls/engine.h
index 81385fbc..309d83c5 100644
--- a/include/nng/supplemental/tls/engine.h
+++ b/include/nng/supplemental/tls/engine.h
@@ -80,6 +80,14 @@ typedef struct nng_tls_engine_conn_ops_s {
 	// verified returns true if the connection is fully
 	// TLS verified, false otherwise.
 	bool (*verified)(nng_tls_engine_conn *);
+
+	// peer_cn returns the common name of the peer
+	// The return string needs to be freed.
+	char *(*peer_cn)(nng_tls_engine_conn *);
+
+	// peer_alt_names returns the subject alternative names.
+	// The return string list and its strings need to be freed.
+	char **(*peer_alt_names)(nng_tls_engine_conn *);
 } nng_tls_engine_conn_ops;
 
 typedef struct nng_tls_engine_config_ops_s {