[openssl-dev] How to do reneg with client certs in 1.1.0 API
Matt Caswell
matt at openssl.org
Mon Feb 8 15:52:20 UTC 2016
On 08/02/16 15:46, Viktor Dukhovni wrote:
>
>> On Feb 8, 2016, at 9:49 AM, Matt Caswell <matt at openssl.org> wrote:
>>
>> Actually, yes that is a good point. There could be some subtle security
>> issues there. You probably need to additionally check that you are not
>> halfway through a handshake:
>>
>> SSL_renegotiate(ssl);
>> SSL_do_handshake(ssl);
>> do {
>> read_some_app_data();
>> if(no_client_cert_yet() || SSL_in_init(ssl)) {
>> discard_app_data();
>> }
>> } while(no_client_cert_yet() || SSL_in_init(ssl));
>
> Indeed, but discarding the data may not be an option,
Sure. I was answering the specific question posed by Tomas:
"What if the server wants to discard all the application data that was
sent before the renegotiation completed?"
Matt
More information about the openssl-dev
mailing list