Disabling Client-Initiated SSL Renegotiation in Jboss 7.1.1

Question

Setting up the context:
In java 8 (precisely 8b98), in order to deal with Client-Initiated Renegotiation causing vulnerability to Denial of Service attack, an un-documented flag was rolled out named jdk.tls.rejectClientInitiatedRenegotiation as a part of Transport Layer Security which could disable client initiated renegotiations.

jdk.tls.rejectClientInitiatedRenegotiation = true

Server which i'm using is JBoss 7.1.1 which supports 7. However java 8 supporting servers are JBoss EAP & Wildfly. I'm reluctant to switch to these new server.

Now My challenge is to implement this property somehow in Java 7. Any sort of guidance will be highly appreciated.

Answer 1

Indeed Java 7 doesn't support this option. Maybe an acceptable behavior could be the Interoperable mode as in Description of Phase 2 Fix of the JSSE 7, which means enabling renegotiation for "good" clients ?

My exact answer is to switch to OpenSSL implementation, particularly the one with the hard-coded renegotiation denial, then you get rid of the JSSE implementation which doesn't support your hard-to-find option.

First, you need OpenSSL 0.9.8l which just denies all client renegotiations. After that enable the Native Connectors on JBOSS 7.1 and configure as said in this documentation.

web archive links :

• http://web.archive.org/web/20201019212829/https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html
• http://web.archive.org/web/20201027040002/https://www.openssl.org/news/secadv/20091111.txt
• http://web.archive.org/web/20201123225554/https://docs.jboss.org/author/display/AS71/Admin%20Guide.html