Code review request, 7188658 Add possibility to disable client initiated renegotiation

Xuelei Fan at
Wed May 29 19:05:55 PDT 2013

Got it. Yes, this fix is addressing a different issue from you mentioned


On 5/30/2013 9:53 AM, Bernd Eckenfels wrote:
> Am 30.05.2013, 02:18 Uhr, schrieb Xuelei Fan < at>:
>>> 2381456
>> Would you mind send me the link of the bug, or the code review request
>> mail?  I may miss some mails about this direction.
> I am afraid I cant sent the link, the Bug is in review state and
> therefore not visible for me. It was acknowledged 2012-11-12, see
> attached. I guess the link would be
> (not sure if
> the numbers are the same in the new bug tool).
>> Good suggestion.  Oracle provider of JSSE had addressed the TLS
>> renegotiation issue in JDK 1.4.2 update 26, JDK 1.5.0 update 24 and JDK
>> 6u 19 around the end of 2009 and the beginning of 2010.  Here is the
>> readme of the fix:
> Thats a different problem, I was thinking about preventing execessive
> client initiated renegotiations. This is for example CVE-2011-1473 from
> THC.
>>> You mentioned industry will move to a secure handshake - are you
>>> aware of any initiative in that direction?
>> See  As far as I know, nearly all
>> major vendors of SSL protocols has support RFC5746.
> Ok, but thats a different issue. I was expecting 7188658 to address
> another point, but I might be wrong.
> I understand that as of Oracle policy we cannot discuss it. Even if this
> is a very well known issue. :-/
> Greetings
> Bernd

More information about the security-dev mailing list