Hello, > I would like to know as an ssl server, when do I send a "Hello request" on > the wire? Based on what parameters should I trigger that? I have quite a > few questions based on this > > A) Does the re-handshake happen on the existing tcp connection? i.e the > tcp connection over which the "hello request" message is sent by the my > server? Yes.
> B) After the rehandshake is completed, does application data continue to > flow in the same tcp connection but now with the new cipher parameters? Yes. > C) Does rehandhake involve public key operations as well? i.e does the > premaster secret change? Yes. You can experiment with SSL renegotiation using openssl command. Run in "server" window command: $ openssl s_server -key vpn-server-key.pem -cert vpn-server-crt.pem -msg -debug -cipher AES256-SHA -state next, in "client" window run: $ openssl s_client -msg -debug -state and you will see proper SSL session established connection. Now, in "server" windows type: R<enter> this will trigger renegotation, you will see a lot of messages and on client side you will see client_key_exchange packet sent to server with new pre_master_secret. > I am really confused and I did spend sometime with the RFC, but I am > really lost..I was thinking if I called the API : SSL_CTX_set_timeout(), > then the session will eventually expire and end up triggering a > rehandshake if application data was flowing in that session at expiration > time. But I didnt see any such messages go out on the wire. This sets only timeout for session resumption. This is done for performance reasons to not overload server with time-consuming private key operation. For example browser connection to WWW server over https with HTTP/1.0 can generate new session for any gif, html and other. So if this connections are made within preconfigured time, server may use already established encryption parameters (identified by session_id in client_hello packet) to get abbreviated handshake. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
