On Mon, Apr 05, 1999 at 11:07:57AM -0400, Nishith Dipak Shah wrote:
> I need to implement an SSL server that will force a renegotiation after a
> certain period of time.
Why "after a certain period of time"? Renegotiation is useful e.g. if
you want to verify a client certificate when you did not already do so
in the initial handshake, but renegotiation after a time-out is
usually not very meaningful, I'd think.
> I have the server up and running, but I cant
> seem to get the renegotiation to work.
>
> I am using the function SSL_renegotiate() in the server code. Is that
> all I need to do? Do I need to add code before this call and/or in the
> client program (I implemented the client using openssl too).
SSL_renegotiate just sets the server state so that it will send a
HelloRequest soon. After that, you have to tell OpenSSL that it must
actually send a message (SSL_do_handshake), but obviously that's not
your problem, since you report that your client sends its ClientHello.
> I added a few printf statements in s3_srvr.c and s3_clnt.c to see what was
> going on with the handshake. What was happening was that the server would
> send the Hello Request (A/B and then C?) and thats it. It would never see
> the client Hello so it would never send back the server Hello. The
> client, on the other hand, would see the Hello Request, send back a client
> Hello, and then keep waiting for the server Hello.
Does your server use SSL_read after sending the HelloRequest? If so,
it should probably work. Note that after sending a HelloRequest the
server cannot usually immediately go into accept state because the
client may still be sending data. It's actually the client that
triggers the new handshake by sending a ClientHello. If you
don't want the server to accept any more data from the client after
the HelloRequest has been sent (which makes sense only if the
application protocol is synchronized at that moment), then call
SSL_set_accept_state followed by a second SSL_do_handshake.
Note that if you don't do that, the client could simply ignore the
HelloRequest.
If you use non-blocking IO and select() (or poll() or pselect() and
the like) in your server program, then there is the further
complication that SSL_read and SSL_write do not necessarily correspond
to OS-level reads and writes, respectively: When SSL_read or SSL_write
is called within a handshake (which also may have been requested by
the other party without knowledge of your application program), data
flows in both directions. SSL_want_read and SSL_want_write must be
used to find out what you should select() for.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
