xref: /freebsd/secure/lib/libcrypto/man/man3/SSL_key_update.3 (revision 9f23cbd6cae82fd77edfad7173432fa8dccd0a95)
Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)

Standard preamble:
========================================================================
..
..
.. Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.

If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.

Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF
Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================

Title "SSL_KEY_UPDATE 3"
SSL_KEY_UPDATE 3 "2023-05-30" "3.0.9" "OpenSSL"
For nroff, turn off justification. Always turn off hyphenation; it makes
way too many mistakes in technical documents.
"NAME"
SSL_key_update, SSL_get_key_update_type, SSL_renegotiate, SSL_renegotiate_abbreviated, SSL_renegotiate_pending \- initiate and obtain information about updating connection keys
"SYNOPSIS"
Header "SYNOPSIS" .Vb 1 #include <openssl/ssl.h> \& int SSL_key_update(SSL *s, int updatetype); int SSL_get_key_update_type(const SSL *s); \& int SSL_renegotiate(SSL *s); int SSL_renegotiate_abbreviated(SSL *s); int SSL_renegotiate_pending(const SSL *s); .Ve
"DESCRIPTION"
Header "DESCRIPTION" \fBSSL_key_update() schedules an update of the keys for the current \s-1TLS\s0 connection. If the updatetype parameter is set to \s-1SSL_KEY_UPDATE_NOT_REQUESTED\s0 then the sending keys for this connection will be updated and the peer will be informed of the change. If the updatetype parameter is set to \fB\s-1SSL_KEY_UPDATE_REQUESTED\s0 then the sending keys for this connection will be updated and the peer will be informed of the change along with a request for the peer to additionally update its sending keys. It is an error if updatetype is set to \s-1SSL_KEY_UPDATE_NONE\s0.

\fBSSL_key_update() must only be called after the initial handshake has been completed and TLSv1.3 has been negotiated, at the same time, the application needs to ensure that the writing of data has been completed. The key update will not take place until the next time an \s-1IO\s0 operation such as SSL_read_ex() or SSL_write_ex() takes place on the connection. Alternatively SSL_do_handshake() can be called to force the update to take place immediately.

\fBSSL_get_key_update_type() can be used to determine whether a key update operation has been scheduled but not yet performed. The type of the pending key update operation will be returned if there is one, or \s-1SSL_KEY_UPDATE_NONE\s0 otherwise.

\fBSSL_renegotiate() and SSL_renegotiate_abbreviated() should only be called for connections that have negotiated TLSv1.2 or less. Calling them on any other connection will result in an error.

When called from the client side, SSL_renegotiate() schedules a completely new handshake over an existing \s-1SSL/TLS\s0 connection. The next time an \s-1IO\s0 operation such as SSL_read_ex() or SSL_write_ex() takes place on the connection a check will be performed to confirm that it is a suitable time to start a renegotiation. If so, then it will be initiated immediately. OpenSSL will not attempt to resume any session associated with the connection in the new handshake.

When called from the client side, SSL_renegotiate_abbreviated() works in the same was as SSL_renegotiate() except that OpenSSL will attempt to resume the session associated with the current connection in the new handshake.

When called from the server side, SSL_renegotiate() and \fBSSL_renegotiate_abbreviated() behave identically. They both schedule a request for a new handshake to be sent to the client. The next time an \s-1IO\s0 operation is performed then the same checks as on the client side are performed and then, if appropriate, the request is sent. The client may or may not respond with a new handshake and it may or may not attempt to resume an existing session. If a new handshake is started then this will be handled transparently by calling any OpenSSL \s-1IO\s0 function.

If an OpenSSL client receives a renegotiation request from a server then again this will be handled transparently through calling any OpenSSL \s-1IO\s0 function. For a \s-1TLS\s0 connection the client will attempt to resume the current session in the new handshake. For historical reasons, \s-1DTLS\s0 clients will not attempt to resume the session in the new handshake.

The SSL_renegotiate_pending() function returns 1 if a renegotiation or renegotiation request has been scheduled but not yet acted on, or 0 otherwise.

"RETURN VALUES"
Header "RETURN VALUES" \fBSSL_key_update(), SSL_renegotiate() and SSL_renegotiate_abbreviated() return 1 on success or 0 on error.

\fBSSL_get_key_update_type() returns the update type of the pending key update operation or \s-1SSL_KEY_UPDATE_NONE\s0 if there is none.

\fBSSL_renegotiate_pending() returns 1 if a renegotiation or renegotiation request has been scheduled but not yet acted on, or 0 otherwise.

"SEE ALSO"
Header "SEE ALSO" \fBssl\|(7), SSL_read_ex\|(3), \fBSSL_write_ex\|(3), \fBSSL_do_handshake\|(3)
"HISTORY"
Header "HISTORY" The SSL_key_update() and SSL_get_key_update_type() functions were added in OpenSSL 1.1.1.
"COPYRIGHT"
Header "COPYRIGHT" Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.