Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change default value for SslContextFactory.renegotiationAllowed to false #12378

Closed
sbordet opened this issue Oct 11, 2024 · 0 comments · Fixed by #12379
Closed

Change default value for SslContextFactory.renegotiationAllowed to false #12378

sbordet opened this issue Oct 11, 2024 · 0 comments · Fixed by #12379
Assignees
@sbordet
Labels
Bug For general bugs on Jetty side Sponsored This issue affects a user with a commercial support agreement

Comments

@sbordet
Copy link
Contributor

sbordet commented Oct 11, 2024

Jetty version(s)
12.0.x

Description
TLS renegotiation is the feature that allows (typically clients) to issue a TLS handshake in the middle of an already established secure communication.

This feature has proven to be vulnerable, and RFC 5746 fixes this vulnerability for TLS versions <= 1.2.

In TLS 1.3, the renegotiation feature has been removed.

We should change the default to false.
@sbordet sbordet added the Bug For general bugs on Jetty side label Oct 11, 2024
@sbordet sbordet self-assigned this Oct 11, 2024
@sbordet sbordet moved this to 🏗 In progress in Jetty 12.0.15 FROZEN Oct 11, 2024
sbordet added a commit that referenced this issue Oct 11, 2024
@sbordet
Fixes #12378 - Change default value for SslContextFactory.renegotiati…
d3c3f7c 
…onAllowed to false.

Signed-off-by: Simone Bordet <[email protected]>
@sbordet sbordet linked a pull request Oct 11, 2024 that will close this issue
Fixes #12378 - Change default value for SslContextFactory.renegotiationAllowed to false. #12379
Merged
@sbordet sbordet added the Sponsored This issue affects a user with a commercial support agreement label Oct 11, 2024
@github-project-automation github-project-automation bot moved this from 🏗 In progress to ✅ Done in Jetty 12.0.15 FROZEN Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sbordet sbordet

Labels
Bug For general bugs on Jetty side Sponsored This issue affects a user with a commercial support agreement
Projects
No open projects
Jetty 12.0.15 FROZEN
Status: ✅ Done
Milestone
No milestone
1 participant
@sbordet