s as well.

The re-authentication process, allows the connected client to switch
identity by presenting a new certificate.  Unlike TLS 1.2, the server is
not allowed to change identities.  That client re-authentication, or
post-handshake authentication can be initiated only by the server using
*note gnutls_reauth::, and only if a client has advertised support for
it.  Both server and client have to explicitly enable support for post
handshake authentication using the ‘GNUTLS_POST_HANDSHAKE_AUTH’ flag at
*note gnutls_init::.

A client receiving a re-authentication request will "see" the error code
‘GNUTLS_E_REAUTH_REQUEST’ at *note gnutls_record_recv::.  At this point,
it should also call *note gnutls_reauth::.

To make re-authentication transparent to the application when requested
by the server, use the ‘GNUTLS_AUTO_REAUTH’ and
‘GNUTLS_POST_HANDSHAKE_AUTH’ flags on the *note gnutls_init:: call.  In
that case the re-authentication will happen in the call of *note
gnutls_record_recv:: that received the reauthentication request.