1SSL_KEY_UPDATE(3ossl) OpenSSL SSL_KEY_UPDATE(3ossl)
2
3
4
6 SSL_key_update, SSL_get_key_update_type, SSL_renegotiate,
7 SSL_renegotiate_abbreviated, SSL_renegotiate_pending - initiate and
8 obtain information about updating connection keys
9
11 #include <openssl/ssl.h>
12
13 int SSL_key_update(SSL *s, int updatetype);
14 int SSL_get_key_update_type(const SSL *s);
15
16 int SSL_renegotiate(SSL *s);
17 int SSL_renegotiate_abbreviated(SSL *s);
18 int SSL_renegotiate_pending(const SSL *s);
19
21 SSL_key_update() schedules an update of the keys for the current TLS
22 connection. If the updatetype parameter is set to
23 SSL_KEY_UPDATE_NOT_REQUESTED then the sending keys for this connection
24 will be updated and the peer will be informed of the change. If the
25 updatetype parameter is set to SSL_KEY_UPDATE_REQUESTED then the
26 sending keys for this connection will be updated and the peer will be
27 informed of the change along with a request for the peer to
28 additionally update its sending keys. It is an error if updatetype is
29 set to SSL_KEY_UPDATE_NONE.
30
31 SSL_key_update() must only be called after the initial handshake has
32 been completed and TLSv1.3 has been negotiated, at the same time, the
33 application needs to ensure that the writing of data has been
34 completed. The key update will not take place until the next time an IO
35 operation such as SSL_read_ex() or SSL_write_ex() takes place on the
36 connection. Alternatively SSL_do_handshake() can be called to force the
37 update to take place immediately.
38
39 SSL_get_key_update_type() can be used to determine whether a key update
40 operation has been scheduled but not yet performed. The type of the
41 pending key update operation will be returned if there is one, or
42 SSL_KEY_UPDATE_NONE otherwise.
43
44 SSL_renegotiate() and SSL_renegotiate_abbreviated() should only be
45 called for connections that have negotiated TLSv1.2 or less. Calling
46 them on any other connection will result in an error.
47
48 When called from the client side, SSL_renegotiate() schedules a
49 completely new handshake over an existing SSL/TLS connection. The next
50 time an IO operation such as SSL_read_ex() or SSL_write_ex() takes
51 place on the connection a check will be performed to confirm that it is
52 a suitable time to start a renegotiation. If so, then it will be
53 initiated immediately. OpenSSL will not attempt to resume any session
54 associated with the connection in the new handshake.
55
56 When called from the client side, SSL_renegotiate_abbreviated() works
57 in the same was as SSL_renegotiate() except that OpenSSL will attempt
58 to resume the session associated with the current connection in the new
59 handshake.
60
61 When called from the server side, SSL_renegotiate() and
62 SSL_renegotiate_abbreviated() behave identically. They both schedule a
63 request for a new handshake to be sent to the client. The next time an
64 IO operation is performed then the same checks as on the client side
65 are performed and then, if appropriate, the request is sent. The client
66 may or may not respond with a new handshake and it may or may not
67 attempt to resume an existing session. If a new handshake is started
68 then this will be handled transparently by calling any OpenSSL IO
69 function.
70
71 If an OpenSSL client receives a renegotiation request from a server
72 then again this will be handled transparently through calling any
73 OpenSSL IO function. For a TLS connection the client will attempt to
74 resume the current session in the new handshake. For historical
75 reasons, DTLS clients will not attempt to resume the session in the new
76 handshake.
77
78 The SSL_renegotiate_pending() function returns 1 if a renegotiation or
79 renegotiation request has been scheduled but not yet acted on, or 0
80 otherwise.
81
83 SSL_key_update(), SSL_renegotiate() and SSL_renegotiate_abbreviated()
84 return 1 on success or 0 on error.
85
86 SSL_get_key_update_type() returns the update type of the pending key
87 update operation or SSL_KEY_UPDATE_NONE if there is none.
88
89 SSL_renegotiate_pending() returns 1 if a renegotiation or renegotiation
90 request has been scheduled but not yet acted on, or 0 otherwise.
91
93 ssl(7), SSL_read_ex(3), SSL_write_ex(3), SSL_do_handshake(3)
94
96 The SSL_key_update() and SSL_get_key_update_type() functions were added
97 in OpenSSL 1.1.1.
98
100 Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
101
102 Licensed under the Apache License 2.0 (the "License"). You may not use
103 this file except in compliance with the License. You can obtain a copy
104 in the file LICENSE in the source distribution or at
105 <https://www.openssl.org/source/license.html>.
106
107
108
1093.0.9 2023-07-27 SSL_KEY_UPDATE(3ossl)