Enabling SSL/TLS Renegotiation in Java

Submitted by alla on Tue, 06/08/2010 - 14:40

All the crazy SSL servers seem to come my way - ones that only support weird combinations of protocols and ciphers, ones that require client certificates stored on PKCS#11 hardware, and ones that require SSL renegotiation.

Turns out that Sun has recently disabled SSL/TLS renegotiation in Java by default as a workaround for SSL/TLS renegotiation vulnerability. This becomes a problem when trying to test an HTTPS server that actually requires renegotiation. Burp suite reacts to it with an error message saying "javax.net.ssl.SSLException: HelloRequest followed by an unexpected handshake message" or, if I enable only TLSv1, with a message saying "javax.net.ssl.SSLHandshakeException: renegotiation is not allowed". I expect that other Java-based proxies, such as WebScarab behave in a similar way.

Fortunately, renegotiation can be explicitly enabled by setting the Java system property system property sun.security.ssl.allowUnsafeRenegotiation to true. For example, to run Burp suite we can do :

java -Dsun.security.ssl.allowUnsafeRenegotiation=true -jar burpsuite_pro_v1.3.04.jar


+32 (0) 2 215 53 58

Gremwell BVBA
Sint-Katherinastraat 24
1742 Ternat
VAT: BE 0821.897.133.