Hi Saju, -----Original Message----- From: Saju Paul
Who as in Sender-encrypter or Receiver-decrypter should renegotiate an SSL session? Can it be both or is it only the Sender? Is there a document that describes the protocol? Does renegotiation always require SSL handshake? (SSL_do_handshake) Are they any circumstances where the handshake is not necessary? SSL renegotiation described @ http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html is a reference I'm planning to use and it suggest that the handshake is necessary. Need reconfirmation. --- Renegotiation is part of the SSL/TLS protocol and as such defined exactly there. Both client and server can initiate the renegotiation. And yes, renegotiation always triggers a new handshake. Please be aware that a security weakness was discovered lately in this renegotiation mechanism. A new TLS extension draft was published to close this weakneses. Currently, work is ongoing to adapt this extension in the relevant security tools. HTH, Patrick ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
