Am 30.05.2013, 02:18 Uhr, schrieb Xuelei Fan <xuelei....@oracle.com>:
2381456
Would you mind send me the link of the bug, or the code review request
mail? I may miss some mails about this direction.
I am afraid I cant sent the link, the Bug is in review state and therefore
not visible for me. It was acknowledged 2012-11-12, see attached. I guess
the link would be
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=2381456 (not sure if
the numbers are the same in the new bug tool).
Good suggestion. Oracle provider of JSSE had addressed the TLS
renegotiation issue in JDK 1.4.2 update 26, JDK 1.5.0 update 24 and JDK
6u 19 around the end of 2009 and the beginning of 2010. Here is the
readme of the fix:
http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html.
Thats a different problem, I was thinking about preventing execessive
client initiated renegotiations. This is for example CVE-2011-1473 from
THC.
You mentioned industry will move to a secure handshake - are you aware
of any initiative in that direction?
See http://www.rfc.org/rfc/rfc5746.txt. As far as I know, nearly all
major vendors of SSL protocols has support RFC5746.
Ok, but thats a different issue. I was expecting 7188658 to address
another point, but I might be wrong.
I understand that as of Oracle policy we cannot discuss it. Even if this
is a very well known issue. :-/
Greetings
Bernd
--
http://bernd.eckenfels.net
Date Created: Mon Nov 12 12:13:08 MST 2012
Type: bug
Customer Name: Bernd Eckenfels
SDN ID:
status: Waiting
Category: jsse
Subcategory: runtime
release: 7
hardware: x64
OSversion: linux_sles11
priority: 4
Synopsis: Excessive SSL renegotiation possible
Description:
FULL PRODUCT VERSION :
java version "1.7.0_09"
Java(TM) SE Runtime Environment (build 1.7.0_09-b05)
Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Various Versions
A DESCRIPTION OF THE PROBLEM :
The SSL/TLS Server Socket (and SSLEngine) of JSSE seems not to protect
itself from excessive handshake requests and renegotiations. This leads to
a high CPU load. For other products this is filed as CVE-2011-1473 or
CVE-2011-5094.
A minimum solution would be to actually turn the renegotiation support
off, IBM JDK for example offers the option "com.ibm.jsse2.renegotiate"
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- set up a JSSE ServerSocket
- connect with openssl s_client (use "R" command) or thc tool
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
after a small number of consecutive renegotiates the server should ignore
them
ACTUAL -
server-cpu is fully used
REPRODUCIBILITY :
This bug can be reproduced always.
