Code review request, 7188658 Add possibility to disable client initiated renegotiation

[Bernd Eckenfels]

Hello Xuelei,

This is nice to hear. BTW: my own Bug in that direction never made it through review, maybe you want to reference ist a well. Not Public: 2381456

There is a number of Security Advisories for this weakness (generic ones, mainly mentioning other implementations). It might be worth to acknowlege one of the CVEs or Issue your own one (I certainly have customers which noticed lack of it).

As I understand the spec you could, instead of rejecting also ignore the request. Did you consider making it a 3-state? (you can currently force the Same terminating behaviour with an empty cipher suite).

You mentioned industry will move to a secure handshake - are you aware of any initiative in that direction?

PS: i still would prefer to allow applications deal with this by having a syncronous handshake listener (would could then count handshake frequency and close the socket).

Bernd
-- 
bernd.eckenfels.net

Am 29.05.2013 um 17:39 schrieb Xuelei Fan <xuelei.fan at oracle.com>:

> Hi,
> 
> This fix is an enhancement to add the ability in JSSE server side to
> reject client initialized renegotiation.
> 
> webrev: http://cr.openjdk.java.net/~xuelei/7188658/webrev.00/
> 
> Thanks,
> Xuelei