Turning on TLS renegotiation
DLucas
dayne at idnet.com
Sun Sep 25 06:45:10 EDT 2011
Hi Trustin,
Oracle has released a fix to TLS renegotiation flaws as per RFC 5746:
http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
According to that document, safe renegotiation is on by default: "Use of the
proper RFC 5746 messages is optional, however legacy (original SSL/TLS
specifications) renegotiations are disabled if the proper messages are not
used. Initial legacy connections are still allowed, but legacy
renegotiations are disabled. This is the best mix of security and
interoperability, and is the default setting."
If this is the case then enabling re-negotiation on a JVM that is Java6
Update 22 or higher will not be a security issue anymore.
Best regards,
Dayne
--
View this message in context: http://netty-forums-and-mailing-lists.685743.n2.nabble.com/Turning-on-TLS-renegotiation-tp6778465p6828889.html
Sent from the Netty User Group mailing list archive at Nabble.com.
More information about the netty-users
mailing list