1SSL_KEY_UPDATE(3)                   OpenSSL                  SSL_KEY_UPDATE(3)
2
3
4

NAME

6       SSL_key_update, SSL_get_key_update_type, SSL_renegotiate,
7       SSL_renegotiate_abbreviated, SSL_renegotiate_pending - initiate and
8       obtain information about updating connection keys
9

SYNOPSIS

11        #include <openssl/ssl.h>
12
13        int SSL_key_update(SSL *s, int updatetype);
14        int SSL_get_key_update_type(const SSL *s);
15
16        int SSL_renegotiate(SSL *s);
17        int SSL_renegotiate_abbreviated(SSL *s);
18        int SSL_renegotiate_pending(const SSL *s);
19

DESCRIPTION

21       SSL_key_update() schedules an update of the keys for the current TLS
22       connection.  If the updatetype parameter is set to
23       SSL_KEY_UPDATE_NOT_REQUESTED then the sending keys for this connection
24       will be updated and the peer will be informed of the change. If the
25       updatetype parameter is set to SSL_KEY_UPDATE_REQUESTED then the
26       sending keys for this connection will be updated and the peer will be
27       informed of the change along with a request for the peer to
28       additionally update its sending keys. It is an error if updatetype is
29       set to SSL_KEY_UPDATE_NONE.
30
31       SSL_key_update() must only be called after the initial handshake has
32       been completed and TLSv1.3 has been negotiated. The key update will not
33       take place until the next time an IO operation such as SSL_read_ex() or
34       SSL_write_ex() takes place on the connection. Alternatively
35       SSL_do_handshake() can be called to force the update to take place
36       immediately.
37
38       SSL_get_key_update_type() can be used to determine whether a key update
39       operation has been scheduled but not yet performed. The type of the
40       pending key update operation will be returned if there is one, or
41       SSL_KEY_UPDATE_NONE otherwise.
42
43       SSL_renegotiate() and SSL_renegotiate_abbreviated() should only be
44       called for connections that have negotiated TLSv1.2 or less. Calling
45       them on any other connection will result in an error.
46
47       When called from the client side, SSL_renegotiate() schedules a
48       completely new handshake over an existing SSL/TLS connection. The next
49       time an IO operation such as SSL_read_ex() or SSL_write_ex() takes
50       place on the connection a check will be performed to confirm that it is
51       a suitable time to start a renegotiation. If so, then it will be
52       initiated immediately. OpenSSL will not attempt to resume any session
53       associated with the connection in the new handshake.
54
55       When called from the client side, SSL_renegotiate_abbreviated() works
56       in the same was as SSL_renegotiate() except that OpenSSL will attempt
57       to resume the session associated with the current connection in the new
58       handshake.
59
60       When called from the server side, SSL_renegotiate() and
61       SSL_renegotiate_abbreviated() behave identically. They both schedule a
62       request for a new handshake to be sent to the client. The next time an
63       IO operation is performed then the same checks as on the client side
64       are performed and then, if appropriate, the request is sent. The client
65       may or may not respond with a new handshake and it may or may not
66       attempt to resume an existing session. If a new handshake is started
67       then this will be handled transparently by calling any OpenSSL IO
68       function.
69
70       If an OpenSSL client receives a renegotiation request from a server
71       then again this will be handled transparently through calling any
72       OpenSSL IO function. For a TLS connection the client will attempt to
73       resume the current session in the new handshake. For historical
74       reasons, DTLS clients will not attempt to resume the session in the new
75       handshake.
76
77       The SSL_renegotiate_pending() function returns 1 if a renegotiation or
78       renegotiation request has been scheduled but not yet acted on, or 0
79       otherwise.
80

RETURN VALUES

82       SSL_key_update(), SSL_renegotiate() and SSL_renegotiate_abbreviated()
83       return 1 on success or 0 on error.
84
85       SSL_get_key_update_type() returns the update type of the pending key
86       update operation or SSL_KEY_UPDATE_NONE if there is none.
87
88       SSL_renegotiate_pending() returns 1 if a renegotiation or renegotiation
89       request has been scheduled but not yet acted on, or 0 otherwise.
90

SEE ALSO

92       ssl(7), SSL_read_ex(3), SSL_write_ex(3), SSL_do_handshake(3)
93

HISTORY

95       The SSL_key_update() and SSL_get_key_update_type() functions were added
96       in OpenSSL 1.1.1.
97
99       Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
100
101       Licensed under the OpenSSL license (the "License").  You may not use
102       this file except in compliance with the License.  You can obtain a copy
103       in the file LICENSE in the source distribution or at
104       <https://www.openssl.org/source/license.html>.
105
106
107
1081.1.1k                            2021-03-26                 SSL_KEY_UPDATE(3)
Impressum