Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Session renegotiation with JDK 1.6_20

843811Jun 18 2010 — edited Jun 18 2010
We are using Pramati application server (5.0 SP3).
To disable session renegotiation , we upgraded our server to use JDK 1.6_20 (which has fix for this issue).
Now we are starting the server with following system property.

-Dsun.security.ssl.allowUnsafeRenegotiation=false

Even after setting this, in our security audit, this server was found to be vulnerable to Man In the middle attack (using session renegotiation).

Any clues why server/JDK is allowing session renegotiation.
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jul 16 2010
Added on Jun 18 2010
#java-secure-socket-extension-jsse
1 comment
215 views