src/share/classes/sun/security/ssl/ServerHandshaker.java
Print this page
7188658 Add possibility to disable client initiated renegotiation
@@ -1,7 +1,7 @@
/*
- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
@@ -277,10 +277,17 @@
private void clientHello(ClientHello mesg) throws IOException {
if (debug != null && Debug.isOn("handshake")) {
mesg.print(System.out);
}
+ // reject client initialized renegotiation?
+ if (rejectClientInitializedRenego && !isInitialHandshake &&
+ state != HandshakeMessage.ht_hello_request) {
+ fatalSE(Alerts.alert_handshake_failure,
+ "Client initialized renegotiation is not allowed");
+ }
+
// check the server name indication if required
ServerNameExtension clientHelloSNIExt = (ServerNameExtension)
mesg.extensions.get(ExtensionType.EXT_SERVER_NAME);
if (!sniMatchers.isEmpty()) {
// we do not reject client without SNI extension
@@ -367,11 +374,11 @@
"indication in ClientHello, allow legacy ClientHello");
}
} else if (!allowUnsafeRenegotiation) {
// abort the handshake
if (activeProtocolVersion.v >= ProtocolVersion.TLS10.v) {
- // response with a no_renegotiation warning,
+ // response with a no_renegotiation warning
warningSE(Alerts.alert_no_renegotiation);
// invalidate the handshake so that the caller can
// dispose this object.
invalidated = true;