JDK-7188658 : Add possibility to disable client initiated renegotiation
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 6
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: linux
  • CPU: x86
  • Submitted: 2012-08-02
  • Updated: 2017-05-17
  • Resolved: 2013-06-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availabitlity Release.

To download the current JDK release, click here.
JDK 8
8 b96Fixed
Related Reports
Relates :  
Relates :  
Relates :  
Description
Certicom SSL supports the possibilty to disable client initiated renegotiation
JSSE does not support this functionality.

WLS used to use Certicom-SSL. Now JSSE.
Hence there is s a loss of functionality.

Seems as if the needed work is already mostly done by one guy named Neale Rudd (http://wiki.metawerx.net/wiki/NealeRudd)

He is talking about a patch for openjdk that delivers exactly this feature in JSSE.

This is the mailinglist thread:
http://mail.openjdk.java.net/pipermail/security-dev/2012-March/004645.html
===============

Comments
Suggested release note: ---------------------------------- In Oracle JSSE provider, a new system property, "jdk.tls.rejectClientInitializedRenego", is defined to reject client initialized renegotiation in server side.
2013-11-23

INTJDK-7604029 has been filed to add tests with openssl client
2013-05-29

Bumping priority. Support paying customer has requested such a feature and I've pinged product management to look into it.
2012-11-28