Turning on TLS renegotiation
이희승 (Trustin Lee)
trustin at gmail.com
Mon Oct 10 07:50:29 EDT 2011
Dayne,
Thank you very much for the detailed explanation. I've just re-enabled TLS renegotiation in Netty. You will see this change in 3.2.6.
Cheers
--
Trustin Lee (http://gleamynode.net/)
On Sunday, September 25, 2011 at 7:45 PM, DLucas wrote:
> Hi Trustin,
>
> Oracle has released a fix to TLS renegotiation flaws as per RFC 5746:
> http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
> http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
>
> According to that document, safe renegotiation is on by default: "Use of the
> proper RFC 5746 messages is optional, however legacy (original SSL/TLS
> specifications) renegotiations are disabled if the proper messages are not
> used. Initial legacy connections are still allowed, but legacy
> renegotiations are disabled. This is the best mix of security and
> interoperability, and is the default setting."
>
> If this is the case then enabling re-negotiation on a JVM that is Java6
> Update 22 or higher will not be a security issue anymore.
>
> Best regards,
>
> Dayne
>
> --
> View this message in context: http://netty-forums-and-mailing-lists.685743.n2.nabble.com/Turning-on-TLS-renegotiation-tp6778465p6828889.html
> Sent from the Netty User Group mailing list archive at Nabble.com (http://Nabble.com).
> _______________________________________________
> netty-users mailing list
> netty-users at lists.jboss.org (mailto:netty-users at lists.jboss.org)
> https://lists.jboss.org/mailman/listinfo/netty-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/netty-users/attachments/20111010/392a0db3/attachment.html
More information about the netty-users
mailing list