OpenBSD manual page server

Manual Page Search Parameters

SSL_RENEGOTIATE(3) Library Functions Manual SSL_RENEGOTIATE(3)

SSL_renegotiate, SSL_renegotiate_abbreviated, SSL_renegotiate_pendinginitiate a new TLS handshake

#include <openssl/ssl.h>

SSL_renegotiate(SSL *ssl);

SSL_renegotiate_abbreviated(SSL *ssl);

SSL_renegotiate_pending(SSL *ssl);

When called from the client side, SSL_renegotiate() schedules a completely new handshake over an existing TLS connection. The next time an I/O operation such as SSL_read() or SSL_write() takes place on the connection, a check is performed to confirm that it is a suitable time to start a renegotiation. If so, a new handshake is initiated immediately. An existing session associated with the connection is not resumed.

This function is automatically called by SSL_read(3) and SSL_write(3) whenever the renegotiation byte count set by BIO_set_ssl_renegotiate_bytes(3) or the timeout set by BIO_set_ssl_renegotiate_timeout(3) are exceeded.

When called from the client side, SSL_renegotiate_abbreviated() is similar to SSL_renegotiate() except that resuming the session associated with the current connection is attempted in the new handshake.

When called from the server side, SSL_renegotiate() and SSL_renegotiate_abbreviated() behave identically. They both schedule a request for a new handshake to be sent to the client. The next time an I/O operation is performed, the same checks as on the client side are performed and then, if appropriate, the request is sent. The client may or may not respond with a new handshake and it may or may not attempt to resume an existing session. If a new handshake is started, it is handled transparently during any I/O function.

If a LibreSSL client receives a renegotiation request from a server, it is also handled transparently during any I/O function. The client attempts to resume the current session in the new handshake. For historical reasons, DTLS clients do not attempt to resume the session in the new handshake.

SSL_renegotiate() and SSL_renegotiate_abbreviated() return 1 on success or 0 on error.

SSL_renegotiate_pending() returns 1 if a renegotiation or renegotiation request has been scheduled but not yet acted on, or 0 otherwise.

ssl(3), SSL_do_handshake(3), SSL_num_renegotiations(3), SSL_read(3), SSL_write(3)

SSL_renegotiate() first appeared in SSLeay 0.8.0 and has been available since OpenBSD 2.4.

SSL_renegotiate_pending() first appeared in OpenSSL 0.9.7 and has been available since OpenBSD 3.2.

SSL_renegotiate_abbreviated() first appeared in OpenSSL 1.0.1 and has been available since OpenBSD 5.3.

June 12, 2019 OpenBSD-current