Code review request, 7188658 Add possibility to disable client initiated renegotiation

Xuelei Fan xuelei.fan at oracle.com
Thu Jun 13 02:05:09 PDT 2013


Ping again.

The new system property name is "jdk.tls.rejectClientInitializedRenego".
webrev: http://cr.openjdk.java.net/~xuelei/7188658/webrev.01/

Thanks,
Xuelei

On 5/29/2013 11:43 PM, Xuelei Fan wrote:
> A new system property, "jsse.rejectClientInitializedRenego", is
> introduced to reject client initialized renegotiation in server side.
> If the system property is set to "true", server side should not accept
> client initialized renegotiation, and is expected to fail with a fatal
> handshake_failure alert if receiving client initialized renegotiation
> request.
> 
> The default value of the system property is "false".
> 
> It is expected that other JSSE providers also comply to this
> specification. The usage of the system property in client side is not
> defined.
> 
>>From the long run, the industry should move forward to secure
> renegotiation.  So we will not consider to support this enhancement with
> new Java class or method.
> 
> Xuelei
> 
> On 5/29/2013 11:39 PM, Xuelei Fan wrote:
>> Hi,
>>
>> This fix is an enhancement to add the ability in JSSE server side to
>> reject client initialized renegotiation.
>>
>> webrev: http://cr.openjdk.java.net/~xuelei/7188658/webrev.00/
>>
>> Thanks,
>> Xuelei
>>
> 



More information about the security-dev mailing list