Earlier solution for Transport Layer Security (TLS) Renegotiation Issue

A weakness exists in some implementations of Transport Layer Security (TLS) handshake negotiation. IBM addressed this vulnerability in updates to the IBM® SDK. Start of changes for service refresh 6 fix pack 25 In service refresh 6, fix pack 25, the solution changed to match the reference implementation. For information about the new solution, see Transport Layer Security (TLS) Renegotiation Issue. Continue reading this topic only if you are using an earlier release of the SDK. End of changes for service refresh 6 fix pack 25

Overview

See CVE-2009-3555 for details of the vulnerability. IBM implements RFC 5746, which contains additional function to address the security of TLS handshake renegotiation.

Content

The IETF has published RFC 5746 Transport Layer Security (TLS) - Renegotiation Indication Extension. RFC 5746 defines a mechanism to implement TLS/SSL handshake renegotiation securely. Use of RFC 5746 replaces the industry-wide interim solution of disabling all renegotiation that is implemented after the weakness was discovered.

IBM JSSE2 allows SSL V3 or TLS V1 session renegotiation with peers that have implemented RFC 5746. Session renegotiation with peers that do not support RFC 5746 reverts to the interim disablement solution. By default, unsecured renegotiation is not allowed. Use the system property com.ibm.jsse2.renegotiate to control how unsecured negotiations are handled by IBM JSSE2.

Read RFC 5746 for additional details if interested in the underlying TLS protocol changes to correct the weakness.

The following system properties are available to control how restrictive IBM JSSE2 is in the enforcement of RFC 5746:

com.ibm.jsse2.extended.renegotiation.indicator=[BOTH | CLIENT | OPTIONAL | SERVER]

Use this property to force all negotiations to require RFC 5746, not just renegotiations. This negotiation would be practical only after all the required communication partners have implemented RFC 5746. The default setting is OPTIONAL.

com.ibm.jsse2.extended.renegotiation.indicator=BOTH: Causes the IBM JSSE2 Server or IBM JSSE2 client to connect only if the peer indicated support for RFC 5746 renegotiation.
Note: Setting the property to BOTH causes interoperability problems with clients or servers that have not been updated to support RFC 5746.

com.ibm.jsse2.extended.renegotiation.indicator=CLIENT: Causes the IBM JSSE2 Client to connect only if the server indicated support for RFC 5746 Renegotiation.
Note: Setting the property to CLIENT causes interoperability problems with servers that have not been updated to support RFC 5746.

com.ibm.jsse2.extended.renegotiation.indicator=OPTIONAL: This setting is the default. Using this option means that the IBM JSSE2 Server or IBM JSSE2 Client do not require the renegotiation indicator during the initial handshake.

com.ibm.jsse2.extended.renegotiation.indicator=SERVER: Causes the IBM JSSE2 Server to connect only if the client indicated support for RFC 5746 Renegotiation.
Note: Setting the property to SERVER causes interoperability problems with clients that have not been updated to support RFC 5746.

com.ibm.jsse2.renegotiate=[ABBREVIATED | ALL | DISABLED | NONE]

Use this property to change the renegotiation ability of IBM JSSE2. The default value is NONE.

com.ibm.jsse2.renegotiate=ABBREVIATED: This setting overrides and allows unsecured abbreviated handshake during renegotiation when session continuity is proven. RFC 5746 renegotiations are allowed.
com.ibm.jsse2.renegotiate=ALL: This setting overrides and allows unsecured full handshake, and unsecured abbreviated handshake, during renegotiation. RFC 5746 renegotiations are allowed.
com.ibm.jsse2.renegotiate=DISABLED: This setting overrides and disables all unsecure and RFC 5746 renegotiations.
com.ibm.jsse2.renegotiate=NONE: This setting is the default. No unsecured handshake renegotiation is allowed. Only RFC 5746 renegotiations are allowed.

com.ibm.jsse2.renegotiation.peer.cert.check=[OFF | ON]

Use this property to change the renegotiation ability of IBM JSSE2 to require the peer support that is specified in RFC 5746. This requirement is only practical after all the required communication partners have implemented RFC 5746. The default value is OFF.

com.ibm.jsse2.renegotiation.peer.cert.check=OFF: This setting is the default. It stops the IBM JSSE2 Client or IBM JSSE2 Server performing an identify check against the certificate from the peer. The result is to allow the peer certificate to change during renegotiation.
com.ibm.jsse2.renegotiation.peer.cert.check=ON: This setting causes the IBM JSSE2 Client or IBM JSSE2 Server to perform a comparison against the certificate from the peer. The reason is to ensure that the certificate does not change during renegotiation. The comparison is applicable to both secure and non-secure renegotiations.

To address Oracle security fix 8037066, a further system property, jdk.tls.allowUnsafeServerCertChange=[false | true], is available. Use this property to allow unsafe server certificate change in renegotiation. However, the property takes effect only when com.ibm.jsse2.renegotiation.peer.cert.check is set to OFF. If com.ibm.jsse2.renegotiation.peer.cert.check is set to ON, the jdk.tls.allowUnsafeServerCertChange property is overridden and no certificate change is allowed in renegotiation.

jdk.tls.allowUnsafeServerCertChange=false: This is the default setting. The server certificate change in renegotiation after a session-resumption abbreviated initialhandshake is restricted. The server certificate can be changed only to certificates that can represent the same identity.
jdk.tls.allowUnsafeServerCertChange=true: If the system property is set to true explicitly, the restriction on server certificate change in renegotiation is disabled.