Community
Participate
Working Groups
Build Identifier: 7.3.1 In SslContextFactory, TLS renegotiation is enabled by default. A few years ago a vulnerability was discovered[1] in HTTPS that uses this feature. A TLS extension[2] was added to address this, however I don't see any code checking to see if the client supports secure renegotiation. If there isn't any such code (I very well may simply have missed it), then renegotiation support should be disabled by default. [1] http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html [2] http://tools.ietf.org/html/rfc5746 Reproducible: Always
Chad, the renegotiation enabling was added to jetty in response to that vulnerability and we initially set to disabled. However, after several releases of JVM's and browsers that support rfc5746, we switched the default to enabled. I can't see anything in the java SSLEngine API that would allow us to detect if RFC5746 is being supported? Do you know of such a check? If so, then we would use that anded with the boolean.
Chad, I think the vulnerability has been fixed long enough now that we don't need to default to no renegotiation
Personally I still think it should be disabled as the majority of browsers still in use today don't have the TLS patch. But I understand that's just a matter of personal preference.
