Thanks marek, I didnt know abt the R option on s_server. Is it possible to make IE renegotiate? I have a rather complex testing requirement and I cannot test using s_client, somehow I need to ensure the client triggers renegotiation. I got a KB on IE
http://support.microsoft.com/kb/265369 and tried to introduce that symptom..but on XP its not happening.. Any suggestions as to how I can make IE trigger renegotiation once in few minutes? Thanks --Gayathri Hello, > I would like to know as an ssl server, when do I send a "Hello > request" on the wire? Based on what parameters should I trigger that? > I have quite a few questions based on this > > A) Does the re-handshake happen on the existing tcp connection? i.e > the tcp connection over which the "hello request" message is sent by > the my server? Yes. > B) After the rehandshake is completed, does application data continue > to flow in the same tcp connection but now with the new cipher parameters? Yes. > C) Does rehandhake involve public key operations as well? i.e does the > premaster secret change? Yes. You can experiment with SSL renegotiation using openssl command. Run in "server" window command: $ openssl s_server -key vpn-server-key.pem -cert vpn-server-crt.pem -msg -debug -cipher AES256-SHA -state next, in "client" window run: $ openssl s_client -msg -debug -state and you will see proper SSL session established connection. Now, in "server" windows type: R<enter> this will trigger renegotation, you will see a lot of messages and on client side you will see client_key_exchange packet sent to server with new pre_master_secret. > I am really confused and I did spend sometime with the RFC, but I am > really lost..I was thinking if I called the API : > SSL_CTX_set_timeout(), then the session will eventually expire and end > up triggering a rehandshake if application data was flowing in that > session at expiration time. But I didnt see any such messages go out on the wire. This sets only timeout for session resumption. This is done for performance reasons to not overload server with time-consuming private key operation. For example browser connection to WWW server over https with HTTP/1.0 can generate new session for any gif, html and other. So if this connections are made within preconfigured time, server may use already established encryption parameters (identified by session_id in client_hello packet) to get abbreviated handshake. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
