Starting AT-TLS on a connection

Use the SIOCTTLSCTL ioctl with option TTLS_INIT_CONNECTION to start AT-TLS on a connection. This starts the SSL handshake. If using non-blocking sockets, the server can wait for the handshake to complete by waiting for the socket to become writable. If using blocking sockets, the ioctl blocks until the handshake is complete. If the handshake times out or fails for any reason, the connection is reset.

Some server applications need to support some clients using cleartext security negotiation and other clients using implicit security. This means that the SSL handshake starts as soon as the connection is established with the server. For server applications that support both types of clients, the TTLS_ALLOW_HSTIMEOUT option is helpful. This option enables the server to request an SSL handshake and keep the TCP connection active if the SSL handshake times out. This option is most effective if the server normally sends data to the client first. The server application must request both the TTLS_INIT_CONNECTION and the TTLS_ALLOW_HSTIMEOUT option on the SIOCTTLSCTL start handshake request to keep the connection active after an SSL handshake timeout.

The server application waits for the SSL handshake to complete, either by blocking the socket or by waiting for the socket to become writable. After the handshake completes, the server application can check the SIOCTTLSCTL status to determine the state of the connection, the negotiated session attributes, and other information. If a non-blocking socket is used, the final status is queried by issuing another SIOCTTLSCTL ioctl with option TTLS_QUERY_ONLY. If a blocking socket is used, the final status is contained in the returned SIOCTTLSCTL. Ensure that your server application checks the SIOCTTLSCTL status and takes appropriate action based on the returned status.