Disable TLS Renegociation ?
Simon Bernard
contact at simonbernard.eu
Tue Apr 23 09:54:04 UTC 2024
Hi,
I'm implementing coaps+tcp (Coap over TLS) for LWM2M protocol.
In this context, I would like to disable TLS renegotiation because :
* by the past we faces security issue about it
* it doesn't really make sense to use it with those protocols (better
to not increase the attack surface for nothing)
* (TLS) / (DTLS) Profiles for the Internet of Things strongly
recommend (mandate?) to disable it :
https://datatracker.ietf.org/doc/html/rfc7925#section-17
So what is the right way to deactivate it (for SslSocket and SslEngine)
? I searched for a programmatically way to do that (maybe using
SSLParam) but didn't find it.
Only find a system properties :
|jdk.tls.rejectClientInitiatedRenegotiation| to /"Rejects
client-initiated renegotiation on the server side. If this system
property is |true|, then the server will not accept client initiated
renegotiations and will fail with a fatal |handshake_failure| alert.
Rejects server-side client-initialized renegotiation."
/But the documentation says :///"This system property is currently used
by the JSSE implementation, but it is not guaranteed to be examined and
used by other implementations. If it is examined by another
implementation, then that implementation should handle it in the same
manner as the JSSE implementation does. There is no guarantee the
property will continue to exist or be of the same type (system or
security) in future releases."/
(source :
https://docs.oracle.com/en/java/javase/21/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-A41282C3-19A3-400A-A40F-86F4DA22ABA9)
Which sounds not so good and is only documented for java 17 and 21 (I
just checked LTS version), not java 8 or 11. /
/Did I miss something ?
(let me know if this is not the right place to ask this kind of question)
Simon/
/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20240423/279bcb48/attachment.htm>
More information about the security-dev
mailing list