HI, SSL_accept/SSL_connect is something that we use to establish an initial SSL connection and we use SSL-renegotiate/SSL_do_handshake based on timers we install for SSL for re-negotiating KEYs such that hacking the SSL connection is robust.
Having said that.. I assume you already have an SSL connection established and want to implement re-negotiation in your application. It should go like this.... ( OPENSSL says for re-negotiation we should make the underlying transport BLOCKING) If openssl version is < 0.9.7 ************************************* SSL *ssl; int fd; fd = SSL_get_fd(ssl); set_blocking(fd); SSL_renegotiate(ssl); SSL_do_handshake(ssl); while( ssl->state != SSL_ST_OK) { /* you may want to implement timeout here, if you want to */ ssl->state |= SSL_ST_ACCEPT; SSL_do_handshake(ssl); } set_nonblocking(fd); return SUCCESS; **************************************************** IF openssl version > 0.9.7 ***************************************************** SSL *ssl; int fd; fd = SSL_get_fd(ssl); set_blocking(fd); SSL_renegotiate(ssl); SSL_do_handshake(ssl); while( SSL_renegotiate_pending(ssl)) { /* you may want to implement timeout here, if you want to */ SSL_do_handshake(ssl); } set_nonblocking(fd); return SUCCESS; *************************************************************** set_blocking and set_nonblocking are functions that can be implemented very easily using fcntl. HTH, Lokesh. On 6/2/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Thanks pj, the code was real helpful. > > Just one minor clarification, once a call to SSL_renegotiate is made, > should I check the protocol status by calling SSL_accept (mine is server) > within the while loop you have? I have gone into an "accept_pending" > state and calling SSL_accept until it returns with a 1..is this correct? > > Thanks > --Gayathri > > Hi I did the same thing yesterday myself but because I wanted to implement a > timeout solution as well as quick shutdown of my COM object via object > notification. You might be able to hack my work ... this is what I came up > with... It takes a blocking socket, makes it un-blocking... negotiates with > timeout and signalling considerations and then passes back normal error > codes... > > > > // SSLConnectWithTimeout, connect to a remote server with timeout > int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) { > //------------------------- > // Set the socket I/O mode: In this case FIONBIO > // enables or disables the blocking mode for the > // socket based on the numerical value of iMode. > // If iMode = 0, blocking is enabled; > // If iMode != 0, non-blocking mode is enabled. > int iMode = 1; > > LogInformation2("Running SSL non-blocking connection timeout = %ld", > timeout); > if (timeout) { > // establish non- blocking mode to enable us to time out. > ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode); > } > > // make the connection attempt > > int nRet = SSL_connect(ssl); > > // if we are using a timeout then ... > if (timeout) { > // convert nRet to a real error if necessary > if (nRet != 1) > nRet = SSL_get_error(ssl, nRet); > > LogInformation2("connect run return value %d.", nRet); > LogInformation1("Starting SSL polling loop"); > // get the start time > DWORD starttime = timeGetTime(); > while ((nRet==SSL_ERROR_WANT_READ || > nRet==SSL_ERROR_WANT_WRITE) && !isStopEventSignaled()) { > > // Back off to let the connection happen. > //Sleep(50); > // reiterate the connection > nRet = SSL_connect(ssl); > if (nRet != 1) > nRet = SSL_get_error(ssl, nRet); > > // check for timeout > if ((timeGetTime() - starttime >= timeout) || > m_signalled) { > // return an error > nRet = -1; > break; > } > } > LogInformation2("Finished polling loop signalled? %d", > m_signalled); > // if we made it to here with nRet = 1 we are SSL connected > if (nRet == 1) { > LogInformation2("Successful connection made! > returning %d.", nRet); > // turn off non-blocking mode, back to blocking mode > for the rest > // of the connection > iMode = 0; > ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode); > } > else { > // just a log the error, remember logging disappears > when compiled > // without LOG_BUILD defined. > LogInformation2("Timeout occurred returning %d.", > nRet); > } > } > // return connection state. > return nRet; > } > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Thursday, 2 June 2005 2:14 PM > To: openssl-users@openssl.org > Subject: SSL_renegotiation using non block sockets > > Hi, > > I am using Non Blocking sockets, and would like to > know the behaviour wrt SSL_renegotiation. > Once I make a call to do_handshake, as the FD is non > blocking it will return immediately with a success, > but from the application's point of view how will it come > to know that the renegotiation in thro' so that it can > call SSL_write/SSL_read? Should the application poll on that > do_handshake flag within the ssl control block? > > Any suggestion/help appreciated a lot. > > Thanks > --Gayathri > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]