Hello,
> > You can, for example, test this with command:
> >
> > "while true; do echo R; done | openssl s_client -connect ssl_host:443"
> >
> > Maybe there should be added something like "renegotiation_rate" ?
>
> Real-world servers already do this. It's kind of redundant for OpenSSL
> to
> do this as well because almost all applications also support non-SSL
> connections. A renegotiation callback might not be a bad idea though, so
> that applications can better track the load clients are placing.
This happens in SSL leyer, not application layer.
Letter 'R' when send to "openssl" command tigers
SSL_renegotiate()/SSL_do_handshake() (and is
not send to server), it works like a control character
to "openssl" command.
For example:
$ openssl s_client -connect www.yahoo.com:443 -state -cipher
DES-CBC3-SHA
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
..
.. (SOME DATA REMOVED)
..
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID:
9115E480BB88683CD1B81DC3D74F1AE49F0395E4C0AA4CED0FBE2CDF58B1C01F
Session-ID-ctx:
Master-Key:
32360649025D1755913DB7DBA116BEB3440164BDBEE45AB20B97080C58B410B6286090E7D2CD6B2287E3E8E72631A07C
Key-Arg : None
Krb5 Principal: None
Start Time: 1147462809
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
R <-- TRIGER RENEGOTIATION (by entering R<enter>)
RENEGOTIATING
SSL_connect:SSL renegotiate ciphers
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo!
Inc./OU=Yahoo/CN=www.yahoo.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo!
Inc./OU=Yahoo/CN=www.yahoo.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo!
Inc./OU=Yahoo/CN=www.yahoo.com
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
As you see, client is sending client_key_exchange handshake packet
which must be decrypted on server side with server RSA private key.
In other words, after establishing SSL connection client
may execute SSL_renegotiate()/SSL_do_handshake() and server
(if has no SSL "renegotiate_rate_limit") has to use his private RSA key
(if we use RSA) witch is very time consuming.
All this happens within one tcp connection.
Application layer do not see this.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
