Renegotiating an Schannel Connection
To change a connection's attributes, such as the cipher suite or client authentication, you can request a "redo" or renegotiation of the connection.
If the attributes you want to change are controlled by credentials, you must obtain new credentials before you renegotiate the connection. For more information, see Obtaining Schannel Credentials.
To request a redo from a client application, call the InitializeSecurityContext (Schannel) function. Server applications call the AcceptSecurityContext (Schannel) function. Set the parameters as follows:
- Specify the existing security context in the phContext parameter.
- (Clients only) Specify the same server name (in the pszTargetName parameter) as specified when establishing the context.
- Specify new credentials, using the phCredential parameter, if applicable.
- If you want to change context attributes unrelated to the credentials, specify these attributes using the fContextReq parameter.
After calling the appropriate function, your application should send the results to the client and continue processing incoming messages using the DecryptMessage (Schannel) function.
The DecryptMessage (Schannel) function will return SEC_I_RENEGOTIATE when Schannel is ready for your application to proceed. When you receive the SEC_I_RENEGOTIATE return code, your application must call AcceptSecurityContext (Schannel) (servers) or InitializeSecurityContext (Schannel) (clients), and pass the contents of SECBUFFER_EXTRA returned from DecryptMessage in the SECBUFFER_TOKEN. After this call returns a value, proceed as though your application were creating a new connection.