SSL and TLS questions

[Nick Mathewson <nickm@alum.mit.edu>]

1) Could somebody point me at some OpenSSL example code for
client-initiated key renegotiation on an *asynchronous* (nonblocking)
socket?  Assume that we're using DHE and we want to establish a new key
without repeating authentication and other expensive stuff.  Assume also
that the client should not send any more data until the new handshake is
done.

2) OpenSSL's license is problematic: you can't link it with GPL'd code. 
(You can add an exemption to your version of the GPL, but then your code
isn't linkable with GPL'd code.)

I want our client stuff at least to be linkable with anybody's code. 
This means that, in the long term, we need to switch to something
besides OpenSSL.  Our candidates are:
    GnuTLS (http://www.gnu.org/software/gnutls) and 
    NSS (www.mozilla.org/projects/security/pki/nss).

Both have acceptable licenses (Mozilla and LGPL respectively).  NSS is
likelier to be widely deployed in the short-medium term, since it's a
part of Mozilla.  But NSS doesn't currently support server-side DHE, so
we can't use it until it does.

Can anybody who knows what's up with the NSS people comment on the
likelihood and timing of server-side DHE?  Can anybody with GnuTLS
experience comment on the performance and stability of GnuTLS, and its
support for DHE?  [No politics, please. :) ]

Yours,
-- 
Nick