Skip to content

Change default value for SslContextFactory.renegotiationAllowed to false #12378

New issue
New issue
Closed
#12379
Closed
Change default value for SslContextFactory.renegotiationAllowed to false#12378
#12379
Assignees
sbordet
Labels
BugFor general bugs on Jetty sideSponsoredThis issue affects a user with a commercial support agreement
@sbordet

Description

@sbordet
sbordet
opened on Oct 11, 2024

Jetty version(s)
12.0.x

Description
TLS renegotiation is the feature that allows (typically clients) to issue a TLS handshake in the middle of an already established secure communication.

This feature has proven to be vulnerable, and RFC 5746 fixes this vulnerability for TLS versions <= 1.2.

In TLS 1.3, the renegotiation feature has been removed.

We should change the default to false.

Metadata

Metadata

Assignees

Labels

BugFor general bugs on Jetty sideSponsoredThis issue affects a user with a commercial support agreement

Type

No type

Projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions