Code review request, 7188658 Add possibility to disable client initiated renegotiation
Xuelei Fan
xuelei.fan at oracle.com
Thu May 30 02:05:55 UTC 2013
Got it. Yes, this fix is addressing a different issue from you mentioned
below.
Thanks,
Xuelei
On 5/30/2013 9:53 AM, Bernd Eckenfels wrote:
> Am 30.05.2013, 02:18 Uhr, schrieb Xuelei Fan <xuelei.fan at oracle.com>:
>>> 2381456
>> Would you mind send me the link of the bug, or the code review request
>> mail? I may miss some mails about this direction.
>
> I am afraid I cant sent the link, the Bug is in review state and
> therefore not visible for me. It was acknowledged 2012-11-12, see
> attached. I guess the link would be
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=2381456 (not sure if
> the numbers are the same in the new bug tool).
>
>> Good suggestion. Oracle provider of JSSE had addressed the TLS
>> renegotiation issue in JDK 1.4.2 update 26, JDK 1.5.0 update 24 and JDK
>> 6u 19 around the end of 2009 and the beginning of 2010. Here is the
>> readme of the fix:
>> http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html.
>>
>
> Thats a different problem, I was thinking about preventing execessive
> client initiated renegotiations. This is for example CVE-2011-1473 from
> THC.
>
>>> You mentioned industry will move to a secure handshake - are you
>>> aware of any initiative in that direction?
>>>
>> See http://www.rfc.org/rfc/rfc5746.txt. As far as I know, nearly all
>> major vendors of SSL protocols has support RFC5746.
>
> Ok, but thats a different issue. I was expecting 7188658 to address
> another point, but I might be wrong.
>
> I understand that as of Oracle policy we cannot discuss it. Even if this
> is a very well known issue. :-/
>
> Greetings
> Bernd
More information about the security-dev
mailing list