Patrick wrote: > > Nelson wrote: > > If you've got an SSL connection going and the peer application requests a > > handshake, libSSL will do that handshake transparently to you (except that > > if you've registered any callbacks, they will get called as appropriate > > during the handshake). You can force a handshake to occur when you want, > > but you cannot prevent a handshake from occuring when you don't want it. > > And when the handshake occurs again, the peer's certificate may be different > than the one presented at the start when I do the SSL_ForceHandshake...I now > see your point more clearly. I thought that once the SSL connection was up > and going after the initial handshake, then any new handshaking meant > re-establishing the connection, that is closing current connection and > opening a new one... (BTW, isn't there a way to force things to happen that > way?)
SSL3 doesn't define any way to prevent subsequent handshakes on an SSL3 connection. TLS (SSL 3.1, RFC 2246) defines a new alert named "no_renegotiation" that one side can send to the other when the other has requested a handshake on a connection that has already completed one handshake. NSS has not yet provided a way for an application to instruct it to send this alert. I'll file a request for enhancement to add this feature on your behalf. > Also what are the equivalent callbacks in JSS? I know only of > org\mozilla\jss\ssl\SSLCertificateApprovalCallback.html... Only Mr. JSS can answer that. :-) -- Nelson Bolyard Netscape Disclaimer: I speak for myself, not for Netscape
