[openssl-dev] How to do reneg with client certs in 1.1.0 API

Matt Caswell matt at openssl.org
Mon Feb 8 15:52:20 UTC 2016



On 08/02/16 15:46, Viktor Dukhovni wrote:
> 
>> On Feb 8, 2016, at 9:49 AM, Matt Caswell <matt at openssl.org> wrote:
>>
>> Actually, yes that is a good point. There could be some subtle security
>> issues there. You probably need to additionally check that you are not
>> halfway through a handshake:
>>
>> SSL_renegotiate(ssl);
>> SSL_do_handshake(ssl);
>> do {
>>    read_some_app_data();
>>    if(no_client_cert_yet() || SSL_in_init(ssl)) {
>>        discard_app_data();
>>    }
>> } while(no_client_cert_yet() || SSL_in_init(ssl));
> 
> Indeed, but discarding the data may not be an option,


Sure. I was answering the specific question posed by Tomas:

"What if the server wants to discard all the application data that was
sent before the renegotiation completed?"

Matt


More information about the openssl-dev mailing list