Re: Disable TLS Renegociation ?

Tue, 23 Apr 2024 06:30:21 -0700 


On 4/23/24 5:54 AM, Simon Bernard wrote:


Hi,

I'm implementing coaps+tcp (Coap over TLS) for LWM2M protocol.

In this context, I would like to disable TLS renegotiation because :

  * by the past we faces security issue about it
  * it doesn't really make sense to use it  with those protocols
    (better to not increase the attack surface for nothing)
  * (TLS) / (DTLS) Profiles for the Internet of Things strongly
    recommend (mandate?) to disable it :
    https://datatracker.ietf.org/doc/html/rfc7925#section-17


So what is the right way to deactivate it  (for SslSocket and 
SslEngine) ? I searched for a programmatically way to do that (maybe 
using SSLParam) but didn't find it.



Only find a system properties : 
|jdk.tls.rejectClientInitiatedRenegotiation| to /"Rejects 
client-initiated renegotiation on the server side. If this system 
property is |true|, then the server will not accept client initiated 
renegotiations and will fail with a fatal |handshake_failure| alert. 
Rejects server-side client-initialized renegotiation."



/But the documentation says :///"This system property is currently 
used by the JSSE implementation, but it is not guaranteed to be 
examined and used by other implementations. If it is examined by 
another implementation, then that implementation should handle it in 
the same manner as the JSSE implementation does. There is no guarantee 
the property will continue to exist or be of the same type (system or 
security) in future releases."/



(source : 
https://docs.oracle.com/en/java/javase/21/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-A41282C3-19A3-400A-A40F-86F4DA22ABA9)



Which sounds not so good and is only documented for java 17 and 21 (I 
just checked LTS version), not java 8 or 11. /

/


That property is supported in JDK 8 and up. It was originally introduced 
in JDK 8. It is supported in the SunJSSE provider. If you are using a 
different JSSE provider, it may not be supported. But most (all?) 
implementations of OpenJDK probably include the SunJSSE provider.



The docs for JDK 8 and 11 should document this property - I'll file an 
issue to have them updated.


--Sean





















					Reply via email to