Hi again,
There's (secure) Server/Client-initiated TLS renegotiation (both ways are possible). That happens inband without tearing down the session.
Which, by way of practicalities, is probably not even needed. A change of cert typically means putting a new PEM file on the file system and *restarting the server* to pick up the new file. That tears down any sessions and re-establishes them with the new cert. Problem solved :-) But hey, if not, Secure TLS Renegotiation comes for your rescue anyway. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66