Using a Deferred Handshake

A deferred handshake allows an application to create an unsecured connection and then later convert it to a secure connection.

    To implement secure sockets with a deferred handshake

1. Create a socket with socket.
2. Set the socket in secure mode with setsockopt.

   The level parameter should be set to SO_SOCKET, optname should be set to SO_SECURE, and optval should be a DWORD set to SO_SEC_SSL.

3. Specify the certificate validation callback function by invoking WSAIoctl with the SO_SSL_SET_VALIDATE_CERT_HOOK control code.
4. Set the socket in deferred handshake mode with WSAIoctl. The control code should be set to SO_SSL_SET_FLAGS and the flag set to SSL_FLAG_DEFER_HANDSHAKE.
6. Establish a non-secure connection with the remote party using connect.
7. Transmit and receive unencrypted data as usual.
8. To switch to secure mode, invoke WSAIoctl with the SO_SSL_PERFORM_HANDSHAKE control code.

   The certificate callback function is automatically invoked. The handshake is successful only if the callback function verifies the acceptability of the certificate by returning SSL_ERR_OKAY.

9. Transmit and receive as usual.

   The send and recv functions encrypt and decrypt the data automatically.

10. Close the socket with closesocket.