Patrick wrote: > > Ok agreed. However in my case, I don't expect the handshake to be redone > (or restarted) . My NSS-enabled apps connect, exchange data, and then > disconnect.
Right. That's how _your_ apps behave. How do the bad guy's apps behave? > There's no multiple connections, just one. Unless the > underlying SSL implementation redoes the handshake, doing the cert checks > once at the beginning of the handshake should be OK. If you've got an SSL connection going and the peer application requests a handshake, libSSL will do that handshake transparently to you (except that if you've registered any callbacks, they will get called as appropriate during the handshake). You can force a handshake to occur when you want, but you cannot prevent a handshake from occuring when you don't want it. > What callbacks you're referring to when you talk about callback functions > registered with libssl? What header file are they defined in? ssl.h declares 4 callback function types and 4 functions for registering application-defined callback functions with the library for an SSL socket. There is extensive documentation on them in the libSSL reference manual. See http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1089578 The Reference Manual for libSSL is at http://www.mozilla.org/projects/security/pki/nss/ref/ssl/ There's even a section in the manual on NSS library functions that are commonly used by application-defined callback functions. See http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslintro.html#1027820 I encourage anyone trying to use libSSL to Read That Fine Manual ! :) -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
