Should Ssl renegotiate messages be encrypted?

In RFC5246 it is not mentioned that Ssl renegotiate messages should be encrypted. But when using Windows Schannel API I see that the renegotiate messages are encrypted. I tried to send a crafted "Server Hello Request" not encrypted, to a Ssl client in Windows and it didn't accept it, returned an ALERT message stating that it can't decrypt the message. Any idea how can I do Ssl renegotiate without encrypting the handshake messages?

The SSL/TLS protocol requires that all handshake messages be encrypted to ensure the confidentiality and integrity of the negotiation process. According to the specification defined in RFC 5246, the SSL/TLS handshake protocol must be secure against tampering or eavesdropping by unauthorized parties.

It is not possible to perform an SSL/TLS renegotiation without encrypting the handshake messages. The security of the SSL/TLS protocol depends on the encryption of the handshake messages, and if this encryption is not applied, it would create a vulnerability that could be exploited by malicious actors.

The Schannel API in Windows implements the SSL/TLS protocol according to the specification defined in RFC 5246, and it requires that all handshake messages be encrypted during the renegotiation process. Attempting to send an unencrypted "Server Hello Request" message would result in an error because the client would not be able to decrypt the message, as you have observed.

In summary, it is not possible to perform an SSL/TLS renegotiation without encrypting the handshake messages, and attempting to do so would result in an error.