Code review request, 7188658 Add possibility to disable client initiated renegotiation

Xuelei Fan xuelei.fan at oracle.com
Thu Jun 13 18:45:31 PDT 2013


On 6/14/2013 9:39 AM, Weijun Wang wrote:
> What is this for?
> 
>    state != HandshakeMessage.ht_hello_request
> 
It is to allow server initialized renegotiation.  If server want a
renegotiation, it may send a HelloRequest message, and than the client
may response with a ClientHello message.  We should allow server
initialized renegotiation.  This is a filter in order to ignore server
initialized renegotiation.

Xuelei

> -Max
> 
> On 6/13/13 5:05 PM, Xuelei Fan wrote:
>> Ping again.
>>
>> The new system property name is "jdk.tls.rejectClientInitializedRenego".
>> webrev: http://cr.openjdk.java.net/~xuelei/7188658/webrev.01/
>>
>> Thanks,
>> Xuelei
>>
>> On 5/29/2013 11:43 PM, Xuelei Fan wrote:
>>> A new system property, "jsse.rejectClientInitializedRenego", is
>>> introduced to reject client initialized renegotiation in server side.
>>> If the system property is set to "true", server side should not accept
>>> client initialized renegotiation, and is expected to fail with a fatal
>>> handshake_failure alert if receiving client initialized renegotiation
>>> request.
>>>
>>> The default value of the system property is "false".
>>>
>>> It is expected that other JSSE providers also comply to this
>>> specification. The usage of the system property in client side is not
>>> defined.
>>>
>>> >From the long run, the industry should move forward to secure
>>> renegotiation.  So we will not consider to support this enhancement with
>>> new Java class or method.
>>>
>>> Xuelei
>>>
>>> On 5/29/2013 11:39 PM, Xuelei Fan wrote:
>>>> Hi,
>>>>
>>>> This fix is an enhancement to add the ability in JSSE server side to
>>>> reject client initialized renegotiation.
>>>>
>>>> webrev: http://cr.openjdk.java.net/~xuelei/7188658/webrev.00/
>>>>
>>>> Thanks,
>>>> Xuelei
>>>>
>>>
>>



More information about the security-dev mailing list