One of the new features in wolfSSL 4.6.0 is the ability to process application data during a (D)TLS 1.2 secure renegotiation. The new functionality (added in commit 7c89d10e5362ec281ce61ff12f37a091aa124e98) allows users to send and receive their data during the re-handshake process. Sending data can be accomplished, when using non-blocking sockets, by calling the wolfSSL_write API during a secure renegotiation. To read data during a secure renegotiation, use the wolfSSL_read API.

The wolfSSL examples have been updated to test exchanging application data during a secure renegotiation. To enable and test this new feature, build wolfSSL 4.6.0 with the following commands:

./configure –enable-secure-renegotiation make

Run the following TLS examples simultaneously in separate windows to demonstrate application data with secure renegotiation:

./examples/server/server -M -m -d -N ./examples/client/client -R -i scr-app-data -N

To run the same tests with DTLS add --enable-dtls to the configure parameters and add -u to both of the example parameters:

./configure –enable-secure-renegotiation –enable-dtls make ./examples/server/server -M -m -d -N -u ./examples/client/client -R -i scr-app-data -N -u

Users who use secure renegotiation must also expect and handle a new error value. wolfSSL TLS API’s (wolfSSL_connect, wolfSSL_accept, wolfSSL_read, wolfSSL_write) may now return a failure and set the error code to APP_DATA_READY (retrievable by wolfSSL_get_error). This signals to the user that wolfSSL has received application data during a secure renegotiation. The user should immediately call wolfSSL_read to retrieve the received data. If wolfSSL_read is not called immediately after receiving the APP_DATA_READY error code then the data may be dropped if new application data is received. This applies to both TLS and DTLS.

An example connect loop using non-blocking sockets which processes application data during a secure renegotiation: ``` if ((ret = wolfSSL_Rehandshake(ssl)) != WOLFSSL_SUCCESS) { err = wolfSSL_get_error(ssl, 0); if (err == WOLFSSL_ERROR_WANT_READ || err == WOLFSSL_ERROR_WANT_WRITE || err == APP_DATA_READY) { do { if (err == APP_DATA_READY) { if ((ret = wolfSSL_read(ssl, reply, sizeof(reply)-1)) If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.