On Sun, Aug 12, 2001 at 07:32:25AM -0400, Avery Fay wrote:
> I've been given a task that a previous employee at our company was
> unable to accomplish. Before I start I would like to ask if it is even
> possible.
>
> What I need to do:
>
> 1.) start a ssl session
> 2.) send / receive some data
> 3.) stop that session but keep the tcp / ip connection open
> 4.) start a new ssl session using that tcp / ip connection
> 5.) send / receive more data
> 6.) close the connection
>
> Both sides of the connection will know when to start the new ssl
> session. The reason I need to do this is somewhat complicated, but a
> hard requirement is that I have to keep the tcp / ip connection open and
> I must start a new ssl session. Can this be done? Are there any problem
> areas that I may run into? Thanks for your time and please CC me because
> I am not subscribed to the list (but may be soon if this is possible).
I think it should be possible to realize this.
The problem may be in the correct shutdown of the SSL layer. Both the
client and the server must stay synchronized.
With respect to the current realization of SSL_shutdown() (which tends
to be strange):
The first call to SSL_shutdown() will send the "alert close" to the peer,
but does not wait for the peer to send its closure alert.
* Peer 1:
- SSL_shutdown(): send "close alert"
(SSL_shutdown() should return 0!?)
* Peer 2:
- receives "close alert"
- SSL_shutdown(): send "close alert".
* SSL_shutdown() should return 1.
* The SSL connection on Peer 2 is now closed properly, but there is
still a "close alert" on the wire on its way to "peer 1".
This package on the wire now must be processed by "peer 1", so that
both parties are in sync again.
* Peer 1:
- Call SSL_shutdown() again, in order to process the "close alert" on
the wire.
SSL_shutdown() should now return 1.
After this processing has succeeded, both parties should be in sync and
a new SSL handshake should be possible.
Rule of thumb: call SSL_shutdown() twice, if the first call did not
succeed...
Best regards,
Lutz
PS. The manual page for SSL_shutdown() does not reflect this behaviour
properly. I have to fix this...
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
