On Tue, Feb 11, 2014 at 11:06 PM, David Woodhouse <dwmw2 at infradead.org> wrote: >> According to their documentation it performs a rehandshake over the >> session. That has to be verified with a cisco server though. >> For openconnect to support that (and test it), calling >> gnutls_handshake() over an existing session would be sufficient. > I have a *very* vague recollection of having tried that, and it not > being sufficient. It's been a long time though. And it might only have > been DTLS which stopped working; that required a rekey after 24 hours. > Which made it very painful to test, of course. It could be that anyconnect servers use a custom protocol to negotiate the rehandshake. For example it could be something like a packet 'start rehandshake' and then start the actual TLS rehandshake, but I find it highly unlikely as it is pointless. I have modified the rekey branch to handle redhandshakes, so I'd appreciate if somebody could test it against a cisco server. As I understand one would need to set something like svc rekey method ssl svc rekey time 1 regards, Nikos
