-
Enhancement
-
Resolution: Unresolved
-
P3
-
None
-
9
-
generic
-
generic
The security libraries contain system properties to allow interoperability with old non compliant TLS applications. These properties have been around long enough and it's probably best to harden the JDK code and remove some of these old legacy properties.
> *|sun.security.ssl.allowUnsafeRenegotiation|system property.
> Setting this system property to|true|permits full (unsafe) legacy
> renegotiation.
> *|sun.security.ssl.allowLegacyHelloMessages|system property.
> Setting this system property to|true|allows the peer to handshake
> without requiring the proper RFC 5746 messages.
See JSSE docs for further information : http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html
It might be best to deprecate them in JDK 9 and remove them in JDK 10.
> *|sun.security.ssl.allowUnsafeRenegotiation|system property.
> Setting this system property to|true|permits full (unsafe) legacy
> renegotiation.
> *|sun.security.ssl.allowLegacyHelloMessages|system property.
> Setting this system property to|true|allows the peer to handshake
> without requiring the proper RFC 5746 messages.
See JSSE docs for further information : http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html
It might be best to deprecate them in JDK 9 and remove them in JDK 10.
1.
|
Remove allowUnsafeRenegotiation and allowLegacyHelloMessages properties |
|
Open | Unassigned |