2

Is it possible to induce ssl renegotiation for a browser via command line / a curl request. I know it is possible to rate limit ssl renegotiation but do not know how to do it the other way around.

I found some claims by F5 network's BIG-IP product, but there are no details on how is this achieved.

Further, what is the criterion for a web browser to renegotiate TLS keys?

I believe the renegotiation is done probably after a particular timeout, in which case is it possible to change the timeout value in a browser (chrome or firefox).

There are some references on how to do it with Apache's mod_tls but I am particularly looking to do it for a web browser. Recompiling the browser can be considered.

1 Answers1

3

Renegotiation usually happens in the HTTP client in the following cases:

  • the server requires a renegotiation, typically because the client tries to access a resource which requires a client certificate which the previous handshake did not include
  • a renegotiation is done for security reasons after some time or number of bytes transferred. In OpenSSL this can be tuned with BIO_set_ssl_renegotiate_bytes and BIO_set_ssl_renegotiate_timeout
  • if the 64-bit TLS sequence number would overflow a renegotiation is needed

There is not really a need for the user or even developer to tune after how much time or transferred bytes a renegotiation should happen. And some short grep over the source code of Chromium does not indicate any place where the browser explicitly sets these parameters, i.e. it will simply rely on the underlying TLS stack. This is BoringSSL in case of Chromium which is a derivative of OpenSSL so you can probably use the functions described above to do your own tuning by modifying the source code.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424