iSaSiLk Security Advisory: TLS renegotiation attack

As a first countermeasure against recently published SSL/TLS renegotiation attacks
we have released a new version of iSaSiLk allowing to disable renegotiation
at all. You just have to call method setDisableRenegotiation(true) on
your SSLServerContext object:

SSLServerContext serverContext = ...;
serverContext.setDisableRenegotiation(true);

Renegotiation is an inherent feature of the SSL/TLS protocol and used by
many web applications. Before disabling renegotiation at all you should make
sure and test if your application will continue to work without problems.
Note that disabling renegotiation will primarily be an effective countermeasure on
the server side. The client is not aware about the renegotiation and will interpret
it as initial handshake. Disabling renegotation at the client side -- by calling
clientContext.setDisableRenegotiation(true); -- may help if there
are mutations of the attack where, for instance, the attacker tries to renegotiate with
the client.

Please note that this is NOT a bug or implementation failure of the iSaSiLk library.
It is an attack against a vulnerability of the SSL/TLS protocol itself and therefore has
to be fixed at the TLS protocol layer. The IETF TLS working group is currently
working on a draft for a solution allowing to continue to use renegotiation without being
vulnerable for the new sort of attacks. We will implement this solution and will release
a new iSaSiLk version as soon as the IETF draft becomes approved.
We then will announce this release at our announce mailing list and Newsgroup.

See the iSaSiLk product page and visit our download center to get the new version.

Kind regards
Your SIC/IAIK Java Security Team!