Code review request, 7188658 Add possibility to disable client initiated renegotiation
weijun.wang at oracle.com
Thu Jun 13 18:39:17 PDT 2013
What is this for?
state != HandshakeMessage.ht_hello_request
On 6/13/13 5:05 PM, Xuelei Fan wrote:
> Ping again.
> The new system property name is "jdk.tls.rejectClientInitializedRenego".
> webrev: http://cr.openjdk.java.net/~xuelei/7188658/webrev.01/
> On 5/29/2013 11:43 PM, Xuelei Fan wrote:
>> A new system property, "jsse.rejectClientInitializedRenego", is
>> introduced to reject client initialized renegotiation in server side.
>> If the system property is set to "true", server side should not accept
>> client initialized renegotiation, and is expected to fail with a fatal
>> handshake_failure alert if receiving client initialized renegotiation
>> The default value of the system property is "false".
>> It is expected that other JSSE providers also comply to this
>> specification. The usage of the system property in client side is not
>> >From the long run, the industry should move forward to secure
>> renegotiation. So we will not consider to support this enhancement with
>> new Java class or method.
>> On 5/29/2013 11:39 PM, Xuelei Fan wrote:
>>> This fix is an enhancement to add the ability in JSSE server side to
>>> reject client initialized renegotiation.
>>> webrev: http://cr.openjdk.java.net/~xuelei/7188658/webrev.00/
More information about the security-dev