Code review request, 7188658 Add possibility to disable client initiated renegotiation

Xuelei Fan xuelei.fan at oracle.com
Wed May 29 19:05:55 PDT 2013


Got it. Yes, this fix is addressing a different issue from you mentioned
below.

Thanks,
Xuelei

On 5/30/2013 9:53 AM, Bernd Eckenfels wrote:
> Am 30.05.2013, 02:18 Uhr, schrieb Xuelei Fan <xuelei.fan at oracle.com>:
>>> 2381456
>> Would you mind send me the link of the bug, or the code review request
>> mail?  I may miss some mails about this direction.
> 
> I am afraid I cant sent the link, the Bug is in review state and
> therefore not visible for me. It was acknowledged 2012-11-12, see
> attached. I guess the link would be
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=2381456 (not sure if
> the numbers are the same in the new bug tool).
> 
>> Good suggestion.  Oracle provider of JSSE had addressed the TLS
>> renegotiation issue in JDK 1.4.2 update 26, JDK 1.5.0 update 24 and JDK
>> 6u 19 around the end of 2009 and the beginning of 2010.  Here is the
>> readme of the fix:
>> http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html.
>>
> 
> Thats a different problem, I was thinking about preventing execessive
> client initiated renegotiations. This is for example CVE-2011-1473 from
> THC.
> 
>>> You mentioned industry will move to a secure handshake - are you
>>> aware of any initiative in that direction?
>>>
>> See http://www.rfc.org/rfc/rfc5746.txt.  As far as I know, nearly all
>> major vendors of SSL protocols has support RFC5746.
> 
> Ok, but thats a different issue. I was expecting 7188658 to address
> another point, but I might be wrong.
> 
> I understand that as of Oracle policy we cannot discuss it. Even if this
> is a very well known issue. :-/
> 
> Greetings
> Bernd



More information about the security-dev mailing list