Got it. Yes, this fix is addressing a different issue from you mentioned below.
Thanks, Xuelei On 5/30/2013 9:53 AM, Bernd Eckenfels wrote: > Am 30.05.2013, 02:18 Uhr, schrieb Xuelei Fan <xuelei....@oracle.com>: >>> 2381456 >> Would you mind send me the link of the bug, or the code review request >> mail? I may miss some mails about this direction. > > I am afraid I cant sent the link, the Bug is in review state and > therefore not visible for me. It was acknowledged 2012-11-12, see > attached. I guess the link would be > http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=2381456 (not sure if > the numbers are the same in the new bug tool). > >> Good suggestion. Oracle provider of JSSE had addressed the TLS >> renegotiation issue in JDK 1.4.2 update 26, JDK 1.5.0 update 24 and JDK >> 6u 19 around the end of 2009 and the beginning of 2010. Here is the >> readme of the fix: >> http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html. >> > > Thats a different problem, I was thinking about preventing execessive > client initiated renegotiations. This is for example CVE-2011-1473 from > THC. > >>> You mentioned industry will move to a secure handshake - are you >>> aware of any initiative in that direction? >>> >> See http://www.rfc.org/rfc/rfc5746.txt. As far as I know, nearly all >> major vendors of SSL protocols has support RFC5746. > > Ok, but thats a different issue. I was expecting 7188658 to address > another point, but I might be wrong. > > I understand that as of Oracle policy we cannot discuss it. Even if this > is a very well known issue. :-/ > > Greetings > Bernd
