Code review request, 7188658 Add possibility to disable client initiated renegotiation

Weijun Wang weijun.wang at oracle.com
Thu Jun 13 19:27:17 PDT 2013


I see. The code change looks fine then.

Thanks
Max


On 6/14/13 9:45 AM, Xuelei Fan wrote:
> On 6/14/2013 9:39 AM, Weijun Wang wrote:
>> What is this for?
>>
>>     state != HandshakeMessage.ht_hello_request
>>
> It is to allow server initialized renegotiation.  If server want a
> renegotiation, it may send a HelloRequest message, and than the client
> may response with a ClientHello message.  We should allow server
> initialized renegotiation.  This is a filter in order to ignore server
> initialized renegotiation.
>
> Xuelei
>
>> -Max
>>
>> On 6/13/13 5:05 PM, Xuelei Fan wrote:
>>> Ping again.
>>>
>>> The new system property name is "jdk.tls.rejectClientInitializedRenego".
>>> webrev: http://cr.openjdk.java.net/~xuelei/7188658/webrev.01/
>>>
>>> Thanks,
>>> Xuelei
>>>
>>> On 5/29/2013 11:43 PM, Xuelei Fan wrote:
>>>> A new system property, "jsse.rejectClientInitializedRenego", is
>>>> introduced to reject client initialized renegotiation in server side.
>>>> If the system property is set to "true", server side should not accept
>>>> client initialized renegotiation, and is expected to fail with a fatal
>>>> handshake_failure alert if receiving client initialized renegotiation
>>>> request.
>>>>
>>>> The default value of the system property is "false".
>>>>
>>>> It is expected that other JSSE providers also comply to this
>>>> specification. The usage of the system property in client side is not
>>>> defined.
>>>>
>>>> >From the long run, the industry should move forward to secure
>>>> renegotiation.  So we will not consider to support this enhancement with
>>>> new Java class or method.
>>>>
>>>> Xuelei
>>>>
>>>> On 5/29/2013 11:39 PM, Xuelei Fan wrote:
>>>>> Hi,
>>>>>
>>>>> This fix is an enhancement to add the ability in JSSE server side to
>>>>> reject client initialized renegotiation.
>>>>>
>>>>> webrev: http://cr.openjdk.java.net/~xuelei/7188658/webrev.00/
>>>>>
>>>>> Thanks,
>>>>> Xuelei
>>>>>
>>>>
>>>
>


More information about the security-dev mailing list