PolarSSL is now part of ARM Official announcement and rebranded as mbed TLS.

API for finding out if handshake is over

Jan 30, 2018 10:46


Was looking for APi which tells if handshake is over. Misses to see but saw that mbedtls internally does


Will the team accept a new API like the following. API name can be changed, if required.

int mbedtls_ssl_is_handshake_done( const mbedtls_ssl_context ssl) {

    return (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER);

Similar API can be provider to find endpoint role(client or server)

Feb 5, 2018 15:06
Ron Eldor

Hi Devchandra,
Thank you for your suggestion. However, I don't see the rationale for these two new functions.
Since the application calls mbedtls_ssl_handshake(), once the function returns successfully, it knows the handshake is over.
In addition, the application itself initiates the ssl configuration as client or server, so the application knows whether it is a client or server.
Please give a justification for these two new functions.
Mbed TLS Team member

Feb 5, 2018 17:29

Dear Ron In case event based TLS programming, whenever there is new data from network, we should know if handshake is over so that we can decide whether to call mbedtls_ssl_handshake_step or mbedtls_ssl_read.

In the current approach, user is required to either dig into codebase or some sample/example of how to check the handshake status. Making it an API will provide useful documentation and also enhance encapsulation.

For knowing the client/server role from mbedtls_ssl_context by looking at the call of mbedtls_ssl_config_defaults or ssl.conf->endpoint.Having dedicated API will help. I favor explicit APIs.

We can live with current approaches for getting role but the handshaking API, user like me will definitely appreciate it.

Feb 8, 2018 05:17
Joshua Hendrick

What language?

Mar 28, 2018 14:35
Ron Eldor

Hi Devchandra,

In the current approach, user is required to either dig into codebase or some sample/example of how to check the handshake status.

Well, the sample applications are intended for the users to learn how to use Mbed TLS.
You can look at the ssl_client2 what is done in the handshake phase.
mbedtls_ssl_handshake() is run in a loop, as long as the error code is MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE. If return code is zero, then it means that the handshake is finished, successfully.

In addition, mbedtls_ssl_read() performs the handshake as well, if the handshake is not over.
I believe that you don't need to add any API, only run mbedtls_ssl_handshake() until it returns zero, and this is how you know the handshake is successfully over.
Mbed TLS Team member