Thank you Patrick. I'm aware that the SSL Client (SSL_connect) and SSL Server(SSL_accept) can renegotiate an SSL session. But my question is should the Sender(SSL_write) or the Receiver(SSL_read) do the renegotiation? For ex: if the Sender and Receiver decides to renegotiate either at a size(1G) or a time(2minute) boundary would it not result in two renegotiations at the boundary between the server and client. So even if either side can renegotiate; is there a preferred renegotiator? not sure if that is even a word but I hope you know where I'm going with this...
Saju -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]on Behalf Of Eisenacher, Patrick Sent: Tuesday, February 02, 2010 9:07 AM To: 'openssl-users@openssl.org' Subject: RE: SSL renegotiation clarifications Hi Saju, -----Original Message----- From: Saju Paul Who as in Sender-encrypter or Receiver-decrypter should renegotiate an SSL session? Can it be both or is it only the Sender? Is there a document that describes the protocol? Does renegotiation always require SSL handshake? (SSL_do_handshake) Are they any circumstances where the handshake is not necessary? SSL renegotiation described @ http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html is a reference I'm planning to use and it suggest that the handshake is necessary. Need reconfirmation. --- Renegotiation is part of the SSL/TLS protocol and as such defined exactly there. Both client and server can initiate the renegotiation. And yes, renegotiation always triggers a new handshake. Please be aware that a security weakness was discovered lately in this renegotiation mechanism. A new TLS extension draft was published to close this weakneses. Currently, work is ongoing to adapt this extension in the relevant security tools. HTH, Patrick ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
