You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm not sure how well Java supports renegotiation under the hood. I've done quite a bit of digging, and there are very few documents (if any, certainly nothing official) on how to trigger secure renegotiation from a java client or handle it as a server that complies with the renegotiation RFC. Most of the searches I did returned panicked articles about CVE-2009-3555.
jruby-9.1.7.0 :001 > require 'openssl'
=> true
jruby-9.1.7.0 :002 > ctx = OpenSSL::SSL::SSLContext.new
=> #<OpenSSL::SSL::SSLContext:0x7966baa7>
jruby-9.1.7.0 :003 > ctx.renegotiation_cb = Proc.new { "pop" }
NoMethodError: undefined method `renegotiation_cb=' for #<OpenSSL::SSL::SSLContext:0x7966baa7>
from (irb):3:in `<eval>'
from org/jruby/RubyKernel.java:1000:in `eval'
from org/jruby/RubyKernel.java:1298:in `loop'
from org/jruby/RubyKernel.java:1120:in `catch'
from org/jruby/RubyKernel.java:1120:in `catch'
from /Users/dlampa/.rvm/rubies/jruby-9.1.7.0/bin/irb:13:in `<main>'
Is there a technical reason this attribute wasn't included in jruby-openssl? I'm willing to take a crack at implementing it, but wanted to make sure whether or not there was a decision to explicitly not include it.
I'm not sure how well Java supports renegotiation under the hood. I've done quite a bit of digging, and there are very few documents (if any, certainly nothing official) on how to trigger secure renegotiation from a java client or handle it as a server that complies with the renegotiation RFC. Most of the searches I did returned panicked articles about CVE-2009-3555.
In any case, CRuby supports setting a renegotiation callback that gets triggered when SSL connections are established (similar to the other callbacks on the SSLContext):
JRuby does not:
Is there a technical reason this attribute wasn't included in jruby-openssl? I'm willing to take a crack at implementing it, but wanted to make sure whether or not there was a decision to explicitly not include it.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: