Questions about renego_status
Recently, i have been reading the source code about mbed TLS , in the part of how ssl_client1 conmunicates with ssl_server, i may encounter some problems , i can't really understand what's the meaning of "renego_status"。Renego_status have foure states:
who can explain it for me? thanks very much !!!
As shown in the documentation:
#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */ #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */ #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
These definitions are used internally by the TLS state machine, and define the current status of renegotiation.
MBEDTLS_SSL_INITIAL_HANDSHAKE - initialized status, and negotiation is not done
MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS - we are currently doing renegotiation
MBEDTLS_SSL_RENEGOTIATION_DONE - renegotiation has finished
MBEDTLS_SSL_RENEGOTIATION_PENDING - we are a TLS server, and we asked the client to renegotiate
Mbed TLS Team member
Hi Ron, Thanks for your reply. But i'm still confused about something： Your answer means that MBEDTLS_SSL_INITIAL_HANDSHAKE happens in the first handshake between client and server, at that stage(1) they don't have any history session data that can be resumed. MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS and MBEDTLS_SSL_RENEGOTIATION_DONE happen in the second handshake between client and server,at that stage(2) they will resume history session data which they got from last handshake. My understanding is right or not ??? Can you help me mark the renego_status in the follow sketch1）2) ? Thanks very much!!!
1) Client Server
ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
2) Client Server
ClientHello --------> <-------- ServerHello [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
who can answer my question???Ron??
I think your are confusing between session renegotiation and session resumption.
Session renegotiation happens after a first negotiation, and can be used to allow the Client and Server to change the Cipher negotiated during the first handshake which provided the flexibility to change the Authentication Method as well as Cipher for Data Transfer. It is triggered, as mentioned in the code:
/* * Actually renegotiate current connection, triggered by either: * - any side: calling mbedtls_ssl_renegotiate(), * - client: receiving a HelloRequest during mbedtls_ssl_read(), * - server: receiving any handshake message on server during mbedtls_ssl_read() after * the initial handshake is completed. * If the handshake doesn't complete due to waiting for I/O, it will continue * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively. */
AS mentioned, renegotiation allows changing the negotiated cipher, on a secure connection.
Session resumption is what you are describing in (2). This allows the client to resume a previously established connection, by sending a session ID to the server, as part of the
Mbed TLS Team member