Saju, forget about sender and receiver. Your communication endpoint, ie. client or server, issues a renegotiation on an SSL connection handle, just like it reads and writes to this SSL connection handle. Which logic you apply on when to issue your call to renegotiate is up to you and depends on your requirements. Usually you don't have the other communication endpoint under your control, so you should get clear about your side: Do you have to initiate renegotiation at all? If yes, when? And how do you react to a renegotiation request from the peer?
HTH, Patrick Eisenacher > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Saju Paul > Sent: Tuesday, February 02, 2010 4:24 PM > To: openssl-users@openssl.org > Subject: RE: SSL renegotiation clarifications > > > Thank you Patrick. I'm aware that the SSL Client > (SSL_connect) and SSL > Server(SSL_accept) can renegotiate an SSL session. But my > question is should > the Sender(SSL_write) or the Receiver(SSL_read) do the > renegotiation? For > ex: if the Sender and Receiver decides to renegotiate either > at a size(1G) > or a time(2minute) boundary would it not result in two > renegotiations at the > boundary between the server and client. So even if either side can > renegotiate; is there a preferred renegotiator? not sure if > that is even a > word but I hope you know where I'm going with this... > > Saju > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org]on Behalf Of > Eisenacher, Patrick > Sent: Tuesday, February 02, 2010 9:07 AM > To: 'openssl-users@openssl.org' > Subject: RE: SSL renegotiation clarifications > > > Hi Saju, > > -----Original Message----- > From: Saju Paul > > Who as in Sender-encrypter or Receiver-decrypter should > renegotiate an SSL > session? Can it be both or is it only the Sender? Is there > a document that > describes the protocol? > Does renegotiation always require SSL handshake? > (SSL_do_handshake) Are > they any circumstances where the handshake is not necessary? SSL > renegotiation described @ > http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html is a > reference I'm planning to use and it suggest that the handshake is > necessary. Need reconfirmation. > > --- > > Renegotiation is part of the SSL/TLS protocol and as such > defined exactly > there. Both client and server can initiate the renegotiation. And yes, > renegotiation always triggers a new handshake. > > Please be aware that a security weakness was discovered lately in this > renegotiation mechanism. A new TLS extension draft was > published to close > this weakneses. Currently, work is ongoing to adapt this > extension in the > relevant security tools. > > HTH, > Patrick > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
