Renegotiation

Use this panel to specify renegotiation settings. SSL provides a mechanism to renegotiate the communications session to establish a new session key or have the session cipher reset. This can be initiated by either the SSL server or SSL client.

Before you begin, decide on the values and settings that you want to specify in the steps below. If you are satisfied with the defaults, you do not need to change anything on this panel.

Perform an identity check against the peer's certificate during renegotiation

Steps

  1. Clear the box to not perform an identity check during renegotiation. This allows the peer certificate to change during renegotiation. This is the default.
  2. Check the box to perform an identity check during renegotiation. This ensures the peer certificate does not change during renegotiation.

Select the type of session key renegotiation

Steps

  1. Click Allow only RFC 5746 renegotiations to disable SSL V3 and TLS handshake renegotiations as a server and allow RFC 5746 renegotiations. This is the default.
  2. Click No renegotiations allowed to disable SSL V3 and TLS handshake renegotiations as a server and also disable RFC 5746 renegotiations.
  3. Click Allow any renegotiation to allow SSL V3 and TLS handshake renegotiations as a server and allow RFC 5746 renegotiations.
  4. Click Allow RFC 5746 and SSL V3/TLS abbreviated renegotiations to allow SSL V3 and TLS abbreviated handshake renegotiations as a server for resuming the current session only, while disabling SSL V3 and TLS full handshake renegotiation as a server. The System SSL session ID cache is not checked when resuming the current session. This also allows RFC 5746 renegotiations.

Select the type of extended session key renegotiation

Steps

  1. Click Optional to indicate the renegotiation indicator is not required during initial handshake. This is the default.
  2. Click Require RFC 5746 renegotiation to be supported by server for client initiated TLS sessions to allow the client initial handshake to proceed only when the server indicates support for RFC 5746 renegotiation.
  3. Click Require RFC 5746 renegotiation to be supported by client for server initiated TLS sessions to allow the server initial handshake to proceed only when the client indicates support for RFC 5746 renegotiation.
  4. Click Require RFC 5746 renegotiation to be supported by peer for all TLS sessions to allow the client and server initial handshakes to proceed only when the partner indicates support for RFC 5746 renegotiation.

You have completed this panel when you have specified in the steps above the values and settings that you want to have different from the defaults.