Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

SSL_renegotiate and SSL_do_handshake

570 views

Skip to first unread message

k b

unread,

Nov 29, 2007, 4:11:35 PM11/29/07

--_f7c9cf3a-ee16-486c-99d4-74fa2fe036cc_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi ,
I have client that would connects to a server for a long duration of time.=
=20
And i'm trying to refresh the session keys.=20

From what I have read for open ssl 0.9.7 and up the step to do the same are=
pretty simple.

SSL_renegotiate(SSL *)
SSL_do_handshake(SSL *)

and then to confirm call SSL_renegotiate_pending to check status.

the problem I'm seeing is that i don't see the SSL_renegotiate_pending retu=
rning 0 to indicate=20
renegotiation completed.
I'm using openssl 0.9.7. and SSL_get_version returning TLSv1, which i think=
is fine.

Q1) By the way i'm making this call from the client. should this matter ?=20
Q2) is there any thing else that i need to do. or am i missing something ?

Any insights would appreciated

-Kunal=20

here the client code snippet=20

void run() {
time_t lastRenewTime;
time_t currentTime;

time(&lastRenewTime);
static BIO *out =3D BIO_new_fp(stdout,BIO_NOCLOSE);

printf("SSL/TLS version : %s \n", SSL_get_version(mySSL));
SSL_SESSION *session =3D SSL_get_session(mySSL);

printf("session A\n");
SSL_SESSION_print(out, session);

while (1)
{
time(&currentTime);

if ((currentTime - lastRenewTime) > 10)
{
printf("renegotiating ...\n");
SSL_renegotiate(mySSL);
int pending =3D SSL_renegotiate_pending(mySSL);
int handShake =3D SSL_do_handshake(mySSL);
int timeout =3D 20000;

printf("do_handshake %d\n", handShake);
// int );
do {
timeout--;
// i think the actual renegotiate req would only go to server w=
henever a data is sent. right ?
SendDataToServer();
SSL_do_handshake(mySSL);
=20
} while(pending && SSL_renegotiate_pending(mySSL) && timeout > 0);
=20
SSL_SESSION *newSession =3D SSL_get_session(mySSL);
printf("session compare %d\n", SSL_SESSION_cmp(session, newSession)=
);
if (!newSession) {
printf("session B \n");
SSL_SESSION_print(out, session);

}

printf("timeout %d\n", timeout);
if (timeout <=3D 0)
{
printf("ERROR in refreshing keys\n");
}
}
// read from and write to server.
}
}

_________________________________________________________________
Your smile counts. The more smiles you share, the more we donate.=A0 Join i=
n.
www.windowslive.com/smile?ocid=3DTXT_TAGLM_Wave2_oprsmilewlhmtagline=

--_f7c9cf3a-ee16-486c-99d4-74fa2fe036cc_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class=3D'hmmessage'>
Hi , I have client that would connects to a server for a long duration o=
f time. And i'm trying to refresh the session keys. From what I=
have read for open ssl 0.9.7 and up the step to do the same are pretty sim=
ple. SSL_renegotiate(SSL *) SSL_do_handshake(SSL *) and th=
en to confirm call SSL_renegotiate_pending to check status. the prob=
lem I'm seeing is that i don't see the SSL_renegotiate_pending returning 0 =
to indicate renegotiation completed. I'm using openssl 0.9.7. and SS=
L_get_version returning TLSv1, which i think is fine. Q1) By the way=
i'm making this call from the client. should this matter ? Q2) is ther=
e any thing else that i need to do. or am i missing something ? Any =
insights would appreciated -Kunal here the client code s=
nippet void run() { time_t lastRenewTime; time_t currentTime;=
 time(&lastRenewTime); static BIO *out =3D BIO_new_fp(stdout,=
BIO_NOCLOSE); printf("SSL/TLS version : %s \n", SSL_get_version(mySS=
L)); SSL_SESSION *session =3D SSL_get_session(mySSL); printf("ses=
sion A\n"); SSL_SESSION_print(out, session); while (1) { &n=
bsp;   time(&currentTime);     if ((cur=
rentTime - lastRenewTime) > 10)     {   &=
nbsp;     printf("renegotiating ...\n");  &nbsp=
;      SSL_renegotiate(mySSL);   &nbs=
p;     int pending =3D SSL_renegotiate_pending(mySSL);<=
br>        int handShake =3D SSL_do_hand=
shake(mySSL);         int timeout =3D=
20000;         printf("do_handsh=
ake %d\n", handShake);         // int=
);         do {   &nbsp=
;         timeout--;  &nbsp=
;          // i think the actual renegot=
iate req would only go to server whenever a data is sent. right ?  =
           SendDataToServer();=
             SSL_=
do_handshake(mySSL);         &nb=
sp;           } while(pend=
ing && SSL_renegotiate_pending(mySSL) && timeout > 0);<b=
r>            &n=
bsp;   SSL_SESSION *newSession =3D SSL_get_session(mySSL); &nb=
sp;       printf("session compare %d\n", SSL_=
SESSION_cmp(session, newSession));       &=
nbsp; if (!newSession)  {       &nbsp=
;     printf("session B \n");    &nbs=
p;        SSL_SESSION_print(out, session=
);         }   &=
nbsp;     printf("timeout %d\n", timeout);  &nb=
sp;      if (timeout <=3D 0)   &nb=
sp;     {        =
     printf("ERROR in refreshing keys\n");  &nb=
sp;      }     }   =
  // read from and write to server. } } <hr />Your smil=
e counts. The more smiles you share, the more we donate. <a href=3D'www.win=
dowslive.com/smile?ocid=3DTXT_TAGLM_Wave2_oprsmilewlhmtagline' target=3D'_n=
ew'>Join in!</a></body>
</html>=

--_f7c9cf3a-ee16-486c-99d4-74fa2fe036cc_--
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

k b

unread,

Nov 29, 2007, 9:12:03 PM11/29/07

--_04e7eacf-ca92-4572-a598-6e6ccd344a83_

Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Ok, so it's kindof working now.=20

kinda because after a do_handshake, any read on the server server return -1=
, but if you ignore this one and continue, subsequent read works.
And data transfer works if back to normal with the new session.

Any reason why the read would fail ?=20
Are there any setting that i could use on the SSL_CTX that might be helpful=
.
Or is there a alternative way to handle this.=20
1) the read would block till renegotiation successfully completes.=20
2) i don't know, maybe read returns zero.

I don't have access to the server code so possibly can't change the way the=
read is performed.

Again any insights would be appreciated.
Thanks=20
Kunal=20

SSL_renegotiate(SSL *)
SSL_do_handshake(SSL *)

Any insights would appreciated

-Kunal=20

while (1)
{
time(&currentTime);

}

Your smile counts. The more smiles you share, the more we donate. Join in!

--_04e7eacf-ca92-4572-a598-6e6ccd344a83_

Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class=3D'hmmessage'>

Ok, so it's kindof working now. kinda because after a do_handsh=
ake, any read on the server server return -1, but if you ignore this one an=
d continue, subsequent read works. And data transfer works if back to no=
rmal with the new session. Any reason why the read would fail ? =
Are there any setting that i could use on the SSL_CTX that might be helpful=
. Or is there a alternative way to handle this. 1) the read would bl=
ock till renegotiation successfully completes. 2) i don't know, maybe r=
ead returns zero. I don't have access to the server code so possibly=
can't change the way the read is performed. Again any insights woul=
d be appreciated. Thanks Kunal <blockquote><hr>From:=
k_b...@hotmail.com To: openss...@openssl.org Subject: SSL_reneg=
otiate and SSL_do_handshake Date: Thu, 29 Nov 2007 13:11:04 -0800 <br=
>

// read from and write to server. } } <hr>Your smile co=
unts. The more smiles you share, the more we donate. <a href=3D"http://www.=
windowslive.com/smile?ocid=3DTXT_TAGLM_Wave2_oprsmilewlhmtagline" target=3D=
"_blank">Join in!</a>
</blockquote> <hr />Your smile counts. The more smiles you share, the =
more we donate. <a href=3D'www.windowslive.com/smile?ocid=3DTXT_TAGLM_Wave2=
_oprsmilewlhmtagline' target=3D'_new'>Join in!</a></body>
</html>=

--_04e7eacf-ca92-4572-a598-6e6ccd344a83_--

Kyle Hamilton

unread,

Nov 29, 2007, 10:17:20 PM11/29/07

Read will fail if write must be done. Write will fail if read must be
done. The bug is that you're not checking for the SSL_ERROR_WANT_READ
or SSL_ERROR_WANT_WRITE required error statuses -- if you get either
of those, you just need to retry the operation again (i.e., treat just
like EAGAIN in POSIX).

Please see http://www.openssl.org/docs/ssl/SSL_read.html for more
information, specifically the part just above the huge WARNING
section. (I don't know if 0.9.7 has SSL_get_mode/SSL_set_mode, or if
SSL_MODE_AUTO_RETRY is implemented, so I don't know if setting that
will work in your environment.) It's important to note, though, that
the documentation there is very unclear. (the reason for those codes
is so that a process can implement its own BIOs and fill the buffers
on its own.)

-Kyle H

On Nov 29, 2007 6:11 PM, k b <k_b...@hotmail.com> wrote:
>
>
> Ok, so it's kindof working now.
>

> kinda because after a do_handshake, any read on the server server return -1,

> but if you ignore this one and continue, subsequent read works.
> And data transfer works if back to normal with the new session.
>
> Any reason why the read would fail ?

> Are there any setting that i could use on the SSL_CTX that might be helpful.

> Or is there a alternative way to handle this.

> 1) the read would block till renegotiation successfully completes.

> 2) i don't know, maybe read returns zero.
>
> I don't have access to the server code so possibly can't change the way the

> read is performed.
>
> Again any insights would be appreciated.
> Thanks

> Kunal
>
>
>
>
> ________________________________

> From: k_b...@hotmail.com
> To: openss...@openssl.org
> Subject: SSL_renegotiate and SSL_do_handshake
> Date: Thu, 29 Nov 2007 13:11:04 -0800
>
>
>
> Hi ,
> I have client that would connects to a server for a long duration of time.

> And i'm trying to refresh the session keys.
>

> From what I have read for open ssl 0.9.7 and up the step to do the same are

> pretty simple.
>
> SSL_renegotiate(SSL *)
> SSL_do_handshake(SSL *)
>
> and then to confirm call SSL_renegotiate_pending to check status.
>
> the problem I'm seeing is that i don't see the SSL_renegotiate_pending

> returning 0 to indicate

> renegotiation completed.
> I'm using openssl 0.9.7. and SSL_get_version returning TLSv1, which i think

> is fine.
>
> Q1) By the way i'm making this call from the client. should this matter ?

> Q2) is there any thing else that i need to do. or am i missing something ?
>
> Any insights would appreciated
>
> -Kunal
>
>

> here the client code snippet

>
> void run() {
> time_t lastRenewTime;
> time_t currentTime;
>
> time(&lastRenewTime);

> static BIO *out = BIO_new_fp(stdout,BIO_NOCLOSE);

>
> printf("SSL/TLS version : %s \n", SSL_get_version(mySSL));

> SSL_SESSION *session = SSL_get_session(mySSL);

>
> printf("session A\n");
> SSL_SESSION_print(out, session);
>
> while (1)
> {
> time(&currentTime);
>
> if ((currentTime - lastRenewTime) > 10)
> {
> printf("renegotiating ...\n");
> SSL_renegotiate(mySSL);

> int pending = SSL_renegotiate_pending(mySSL);
> int handShake = SSL_do_handshake(mySSL);
> int timeout = 20000;

>
> printf("do_handshake %d\n", handShake);
> // int );
> do {
> timeout--;
> // i think the actual renegotiate req would only go to server

> whenever a data is sent. right ?

> SendDataToServer();
> SSL_do_handshake(mySSL);

>
> } while(pending && SSL_renegotiate_pending(mySSL) && timeout > 0);
>

> SSL_SESSION *newSession = SSL_get_session(mySSL);

> printf("session compare %d\n", SSL_SESSION_cmp(session,

> newSession));

> if (!newSession) {
> printf("session B \n");
> SSL_SESSION_print(out, session);
>
> }
>
> printf("timeout %d\n", timeout);

> if (timeout <= 0)

> {
> printf("ERROR in refreshing keys\n");
> }
> }
> // read from and write to server.
> }
> }
>

> ________________________________

> Your smile counts. The more smiles you share, the more we donate. Join in!
>
>
> ________________________________
> Your smile counts. The more smiles you share, the more we donate. Join in!

0 new messages