I made most changes required to mod_nss.  You recommended looking in nss_hook_Access() to see how to force a TLS handshake.  In this function, the TLS handshake is renegotiated from scratch to reflect any reconfigured parameters, right?

In the case of upgrading HTTP to TLS, there has been no previous TLS handshake.  Should I still use the SSL_ReHandshake function (as in nss_hook_Access)?  Or, would I need to call SSL_ResetHandshake instead?