On 08/02/16 12:34, Matt Caswell wrote: > > > On 08/02/16 12:11, Rainer Jung wrote: >> I'm adding support for OpenSSL 1.1.0 to the Apache web server. >> >> I struggle to migrate the renegotiation code in the case wehere we want >> the client to send a client cert. The current code works like explained in >> >> http://www.linuxjournal.com/node/5487/print >> >> After using SSL_set_verify() it calls >> >> SSL_renegotiate(ssl); >> SSL_do_handshake(ssl); >> SSL_set_state(ssl, SSL_ST_ACCEPT); >> SSL_do_handshake(ssl); >> >> for reasons given in the article. >> >> The new 1.1.0 API no longer allows to set the state using >> SSL_set_state(). The old article states, that calling >> SSL_set_accept_state() is not the right thing to do. Looking at >> s_server.c doesn't give a hint what to do instead, because it looks like >> it reads the client certs just raw from the socket. >> >> Any hint what would replace the above sequence or at least the >> SSL_set_state(ssl, SSL_ST_ACCEPT)? >> >> Thanks a bunch and regards, > > Renegotiation isn't entirely within the control of the server. A server > can request that a renegotiation takes place. It is up to the client > whether it honours that request immediately; or perhaps its finishes off > sending some application data before it gets around to honouring it; or > perhaps it doesn't honour it at all. > >> SSL_renegotiate(ssl); >> SSL_do_handshake(ssl); > > This sequence makes the server send the HelloVerifyRequest. It is then
I of course meant HelloRequest (I was looking at the DTLS code earlier which sends a HelloVerifyRequest!!!) Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev