1 files changed, 42 insertions, 0 deletions

diff --git a/src/transport/ws/websocket.h b/src/transport/ws/websocket.h
index a0d8a6cc..1f261067 100644
--- a/src/transport/ws/websocket.h
+++ b/src/transport/ws/websocket.h
@@ -35,6 +35,48 @@ NNG_DECL int nng_ws_register(void);
 // behavior.
 #define NNG_OPT_WSS_TLS_CONFIG "wss:tls-config"
 
+// NNG_OPT_WSS_TLS_CERT_KEY_FILE names a single file that
+// contains a certificate and key identifying ourself.  This
+// is a write-only value.  Listeners can call this multiple
+// times for different keys/certs corresponding to different
+// algorithms, whereas clients only get one.  The file must
+// contain both cert and key as PEM blocks, and the key must
+// not be encrypted.  (If more flexibility is needed, use the
+// TLS configuration directly.)  Note that TLS configuration
+// cannot be changed if the listener, or any other from the same
+// server and port, is already started.
+#define NNG_OPT_WSS_TLS_CERT_KEY_FILE "wss:tls-cert-key-file"
+
+// NNG_OPT_WSS_TLS_CA_FILE names a single file that
+// contains certificate(s) for a CA, and optinally CRLs.  This
+// is a write-only value.  Listeners can call this multiple
+// times for different keys/certs corresponding to different
+// algorithms, whereas clients only get one.  The file must
+// contain certs as PEM blocks, and may contain CRLs as PEM
+// as well.  (If more flexibility is needed, use the
+// TLS configuration directly.)  Note that TLS configuration
+// cannot be changed if the listener, or any other from the same
+// server and port, is already started.
+#define NNG_OPT_WSS_TLS_CA_FILE "wss:tls-ca-file"
+
+// NNG_OPT_WSS_TLS_AUTH_MODE is a write-only integer (int) option
+// that specifies whether the peer is verified or not.  The option
+// can take one of the values of NNG_TLS_AUTH_MODE_NONE,
+// NNG_TLS_AUTH_MODE_OPTIONAL, or NNG_TLS_AUTH_MODE_REQUIRED.
+// The default is NNG_TLS_AUTH_MODE_NONE for listeners, and
+// NNG_TLS_AUTH_MODE_REQUIRED for dialers.
+#define NNG_OPT_WSS_TLS_AUTH_MODE "wss:tls-auth-mode"
+
+// NNG_OPT_WSS_TLS_SERVER_NAME is a write-only string that can be
+// set on dialers to check the CN of the server for a match.  This
+// can also affect SNI (server name indication).
+#define NNG_OPT_WSS_TLS_SERVER_NAME "wss:tls-server-name"
+
+// NNG_OPT_WSS_TLS_VERIFIED returns a single integer, indicating
+// whether the peer was verified or not.  This is a read-only value
+// available only on pipes.
+#define NNT_OPT_WSS_TLS_VERIFIED "wss:tls-verified"
+
 // These aliases are for WSS naming consistency.
 #define NNG_OPT_WSS_REQUEST_HEADERS NNG_OPT_WS_REQUEST_HEADERS
 #define NNG_OPT_WSS_RESPONSE_HEADERS NNG_OPT_WS_RESPONSE_HEADERS