Code review request, 7188658 Add possibility to disable client initiated renegotiation

Weijun Wang weijun.wang at oracle.com
Thu Jun 13 18:39:17 PDT 2013


What is this for?

    state != HandshakeMessage.ht_hello_request

-Max

On 6/13/13 5:05 PM, Xuelei Fan wrote:
> Ping again.
>
> The new system property name is "jdk.tls.rejectClientInitializedRenego".
> webrev: http://cr.openjdk.java.net/~xuelei/7188658/webrev.01/
>
> Thanks,
> Xuelei
>
> On 5/29/2013 11:43 PM, Xuelei Fan wrote:
>> A new system property, "jsse.rejectClientInitializedRenego", is
>> introduced to reject client initialized renegotiation in server side.
>> If the system property is set to "true", server side should not accept
>> client initialized renegotiation, and is expected to fail with a fatal
>> handshake_failure alert if receiving client initialized renegotiation
>> request.
>>
>> The default value of the system property is "false".
>>
>> It is expected that other JSSE providers also comply to this
>> specification. The usage of the system property in client side is not
>> defined.
>>
>> >From the long run, the industry should move forward to secure
>> renegotiation.  So we will not consider to support this enhancement with
>> new Java class or method.
>>
>> Xuelei
>>
>> On 5/29/2013 11:39 PM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> This fix is an enhancement to add the ability in JSSE server side to
>>> reject client initialized renegotiation.
>>>
>>> webrev: http://cr.openjdk.java.net/~xuelei/7188658/webrev.00/
>>>
>>> Thanks,
>>> Xuelei
>>>
>>
>


More information about the security-dev mailing list