Hello, I don't think we should remove this feature, at least, we should make it optional and disable it by default. Please note that as TLS will evolve to fix the vulnerabilities, supporting it means we should be able to have a better support with future JDKs.
Jeff On Tue, Apr 29, 2014 at 9:35 AM, Emmanuel Lécharny <elecha...@gmail.com>wrote: > Le 4/23/14 5:09 PM, Jeff MAURY a écrit : > > - SSL: We've refactored the SSL process to be more event oriented, > but I > > think we should complete it, mainly related to rehandshake > > After having read this : > > http://blog.cryptographyengineering.com/2014/04/attack-of-week-triple-handshakes-3shake.html > > I'm wondering if it wouldn't be better to explicitely claim that we > won't support renegociation ? > > > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.iktek.com > > -- Jeff MAURY "Legacy code" often differs from its suggested alternative by actually working and scaling. - Bjarne Stroustrup http://www.jeffmaury.com http://riadiscuss.jeffmaury.com http://www.twitter.com/jeffmaury
