Index: /branches/rel_apv_10_7/usr/click/lib/libssl_cli/ssl_cli.c
===================================================================
--- /branches/rel_apv_10_7/usr/click/lib/libssl_cli/ssl_cli.c	(revision 39935)
+++ /branches/rel_apv_10_7/usr/click/lib/libssl_cli/ssl_cli.c	(working copy)
@@ -6414,8 +6414,15 @@
 	printf("SM2v11 signature key length: %d bit\n",pkey_len_sm2v11_sign);
 	printf("SM2v11 encipherment key length: %d bit\n",pkey_len_sm2v11_enc);
 	printf("SSL version    : %s\n", VER2STR(vhost->ssl_ver));
-	printf("SSL renegotiation: %s\n",
-	       (vhost->flags & SSL_VHOST_RENEG_SUPPORT)?"enabled" : "disabled");
+	if (host_type == SSL_VIRTUAL_HOST) {
+		printf("SSL renegotiation: %s\n", (vhost->flags & SSL_VHOST_RENEG_SUPPORT)?"enabled" : "disabled");
+	} else if (host_type == SSL_REAL_HOST) {
+		if ((vhost->flags) & SSL_RHOST_SECURE_ERNEG_MANDATORY || (vhost->flags) & SSL_RHOST_SECURE_ERNEG) {
+			printf("SSL Rhost renegotiation: %s\n", "enabled");
+		} else {
+			printf("SSL Rhost renegotiation: %s\n", "disabled");
+		}
+	}
 	printf("Ciphersuite    : %s\n", vhost->cipherstr);
 	printf("Session Reuse  : %s\n", 
 		    ((vhost->flags) & SSL_VHOST_REUSE) ? "enabled" : "disabled");
@@ -30152,11 +30159,16 @@
 							 " ciphersuite \"%s\" \"%s\"\n", vhost->name, vhost->cipherstr);
 				}
 
-				if (vhost->flags & SSL_VHOST_RENEG_SUPPORT) {
-					F_PRINTF(fp, end, "ssl settings reneg \"%s\"\n", vhost->name);
-				} else {
-					F_PRINTF(fp, end, "no ssl settings reneg \"%s\"\n", vhost->name);
+				/* Command "ssl settings reneg" is for vhost only */
+				if (!client_flag){
+					if (vhost->flags & SSL_VHOST_RENEG_SUPPORT) {
+						F_PRINTF(fp, end, "ssl settings reneg \"%s\"\n", vhost->name);
+					} else {
+						F_PRINTF(fp, end, "no ssl settings reneg \"%s\"\n", vhost->name);
+					}
 				}
+				/*  To enable rhost renegotiaition, use "ssl settings clientreneg" with "ssl globals renegotiation on" */
+
 				/*reuse*/
 				if((vhost->flags) & SSL_VHOST_REUSE) {
 					F_PRINTF(fp, end, "ssl settings"
Index: /branches/rel_apv_10_7/usr/src/sys/click/app/ssl/ssl_client.c
===================================================================
--- /branches/rel_apv_10_7/usr/src/sys/click/app/ssl/ssl_client.c	(revision 39935)
+++ /branches/rel_apv_10_7/usr/src/sys/click/app/ssl/ssl_client.c	(working copy)
@@ -480,7 +480,29 @@
 			}
 		}
 	}
-	
+
+	if((sslp->flags & SSL_FLAG_RHOST_SUPPORT_SECURE_RENEG) != 0 &&
+	   SSL_RESTARTED(sslp)) {
+
+		uint8_t client_verify_length = SSL_FINISHED_LEN(sslp) - 4;
+
+		//type
+		*cp++ = 0xff;
+		*cp++ = 0x01;
+
+		//size
+		*cp++ = 0x00;
+		*cp++ = client_verify_length + 1;
+		
+		//length
+		*cp++ = client_verify_length;
+
+		//sslp->client_verify_data
+		PRINTF("client_verify_length", sslp->client_verify_data + 4, client_verify_length);
+		memcpy(cp, sslp->client_verify_data + 4, client_verify_length);
+		cp += client_verify_length;
+	}
+
 	gettimeofday(&tm, NULL);
 	*(uint32_t *)sslp->client_random = htonl(tm.tv_sec);
 	if (ssl_random(sslp->client_random + 4, SSL3_RANDOM_SIZE - 4) != SSL3_RANDOM_SIZE - 4) {
Index: /branches/rel_apv_10_7/usr/src/sys/click/app/ssl/ssl_server.c
===================================================================
--- /branches/rel_apv_10_7/usr/src/sys/click/app/ssl/ssl_server.c	(revision 39935)
+++ /branches/rel_apv_10_7/usr/src/sys/click/app/ssl/ssl_server.c	(working copy)
@@ -734,6 +734,41 @@
 				}
 				sslstats.ssls_ems_connection_num++;
 			}
+		} else if ((type == TLSEXT_SECURE_RENEGOTIATION) &&
+					 !(sslp->flags & SSL_FLAG_IS_SERVER)){
+			if(renegotiation_enable == 1 &&
+				((sslp->vhost->flags & SSL_RHOST_SECURE_ERNEG) || 
+				(sslp->vhost->flags & SSL_RHOST_SECURE_ERNEG_MANDATORY))) {
+				if (size == 1 &&
+					((uint8_t)(p)[0] == 0) &&
+					!SSL_RESTARTED(sslp)) {
+					sslp->flags |= SSL_FLAG_RHOST_SUPPORT_SECURE_RENEG;
+				} else if (SSL_RESTARTED(sslp) && 
+							(sslp->flags & SSL_FLAG_RHOST_SUPPORT_SECURE_RENEG) != 0) {
+					uint8_t tls12_vfy_length = SSL_FINISHED_LEN(sslp) - 4;
+					uint8_t server_verify_len = tls12_vfy_length * 2;
+					ssl_printf("sec_tlsext sz = %d, length = %d\n", size, server_verify_len);
+					PRINTF("server's verify:", p + 1, server_verify_len);
+					PRINTF("clinet_verify:", sslp->client_verify_data + 4, tls12_vfy_length);
+					PRINTF("server_verify:", sslp->server_verify_data + 4, tls12_vfy_length);
+					if(size < 1 ||
+						server_verify_len != *p || 
+						size != 1 + server_verify_len ||
+						memcmp(p + 1, sslp->client_verify_data + 4, tls12_vfy_length) != 0 ||
+						memcmp(p + 1 + tls12_vfy_length, sslp->server_verify_data + 4, tls12_vfy_length) != 0){
+						ssl_printf("ServerHello verify data mismatch!\n");
+						ret = SSL_ERROR;
+					}else{
+						ssl_printf("ServerHello verify data matched!\n");
+						sslp->flags2 |= SSL_FLAG2_RHOST_SECURE_RENEG;
+					}
+				} else {
+					ssl_printf("invalid ServerHello secure reneg tlsext\n");
+					ret = SSL_ERROR;
+				}
+			}else{
+				ret = SSL_ERROR;
+			}
 		}
 		
 		p += size;