I am experiencing some problems with OpenSSL renegotiations. The scenario is quite simple: If a server is sending data to the client while the client requests a renegotiation, the client will fail because it encountered an unexpected "application data" record.
I'm unsure whether this is behavior is a bug or whether it is expected behavior. I checked the OpenSSL documentation but was unable to find anything that related this problem. I searched the mailing list archives and discovered that others have already asked about this problem, but I could find no responses to these questions. Here are four related posts, with the most recent posts listed first: * http://groups-beta.google.com/group/mailing.openssl.users/browse_thread/thre ad/21a982b37abc3b1a/b59af8dd1bced845 * http://groups-beta.google.com/group/mailing.openssl.users/browse_thread/thre ad/b4e4dfb5afe85ae5/c0504dc6db750f71 * http://groups-beta.google.com/group/mailing.openssl.users/browse_thread/thre ad/a21dfc5e8e2fd414/1f46224112e3cc4b * http://groups-beta.google.com/group/mailing.openssl.users/browse_thread/thre ad/2324b7b1bab8070c/05d055256fabe8d1 This problem can be demonstrated in the s_server and s_client sample programs. I have tested this with the last stable release (openssl-0.9.7e) as well as with Monday's snapshot (openssl-SNAP-20050214.tar.gz). Here's how to duplicate: -Launch the server and client, using default settings--no command line parameters, and using the certs in apps folder -In the server type a message such as "Hello", but do not press enter. -In the client press 'R'; it will display a RENEGOTIATING message. -In the server, press enter to send the "Hello" message. The client will fail with the following error: 3520:error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record:.\ssl\s3_pkt.c:1194: In a real-world environment, it appears that when the client requests a renegotiation while the server is streaming data, the client will fail because it received unexpected application data from the server. Is this a limitation of the SSL protocol, of the OpenSSL library, or of the s_server and s_client samples? Also, what is the appropriate way of dealing with this problem? Will OpenSSL eventually support this, or is this something that must be built in each application's protocol? Thank you. Matthias Miller ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]