Nelson wrote: > If you've got an SSL connection going and the peer application requests a > handshake, libSSL will do that handshake transparently to you (except that > if you've registered any callbacks, they will get called as appropriate > during the handshake). You can force a handshake to occur when you want, > but you cannot prevent a handshake from occuring when you don't want it.
And when the handshake occurs again, the peer's certificate may be different than the one presented at the start when I do the SSL_ForceHandshake...I now see your point more clearly. I thought that once the SSL connection was up and going after the initial handshake, then any new handshaking meant re-establishing the connection, that is closing current connection and opening a new one... (BTW, isn't there a way to force things to happen that way?) Also what are the equivalent callbacks in JSS? I know only of org\mozilla\jss\ssl\SSLCertificateApprovalCallback.html... -- P -- P "Nelson B. Bolyard" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Patrick wrote: > > > > Ok agreed. However in my case, I don't expect the handshake to be redone > > (or restarted) . My NSS-enabled apps connect, exchange data, and then > > disconnect. > > Right. That's how _your_ apps behave. How do the bad guy's apps behave? > > > There's no multiple connections, just one. Unless the > > underlying SSL implementation redoes the handshake, doing the cert checks > > once at the beginning of the handshake should be OK. > > If you've got an SSL connection going and the peer application requests a > handshake, libSSL will do that handshake transparently to you (except that > if you've registered any callbacks, they will get called as appropriate > during the handshake). You can force a handshake to occur when you want, > but you cannot prevent a handshake from occuring when you don't want it. > > > What callbacks you're referring to when you talk about callback functions > > registered with libssl? What header file are they defined in? > > ssl.h declares 4 callback function types and 4 functions for registering > application-defined callback functions with the library for an SSL socket. > There is extensive documentation on them in the libSSL reference manual. > See > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1089578 > > The Reference Manual for libSSL is at > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/ > > There's even a section in the manual on NSS library functions that are > commonly used by application-defined callback functions. See > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslintro.html#10278 20 > > I encourage anyone trying to use libSSL to Read That Fine Manual ! :) > > -- > Nelson Bolyard > Disclaimer: I speak for myself, not for Netscape
