Set JVM variable rejectClientInitiatedRenegotiation to true by default

Mitigates https://nvd.nist.gov/vuln/detail/cve-2021-3449
crate · May 23, 2024 · 1dde03b · 1dde03b
1 parent d49bb79
commit 1dde03b
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/app/src/main/dist/bin/crate b/app/src/main/dist/bin/crate
@@ -114,7 +114,7 @@ if [ "x$CRATE_USE_IPV4" != "x" ]; then
 fi
 
 ## GC configuration
-JAVA_OPTS="$JAVA_OPTS -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30"
+JAVA_OPTS="$JAVA_OPTS -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djdk.tls.rejectClientInitiatedRenegotiation=true"
 
 # GC logging options
 # Set CRATE_DISABLE_GC_LOGGING=1 to disable GC logging

diff --git a/app/src/main/dist/bin/crate.bat b/app/src/main/dist/bin/crate.bat
@@ -55,7 +55,7 @@ REM Enable aggressive optimizations in the JVM
 REM    - Disabled by default as it might cause the JVM to crash
 REM set JAVA_OPTS=%JAVA_OPTS% -XX:+AggressiveOpts
 
-set JAVA_OPTS=%JAVA_OPTS% -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30
+set JAVA_OPTS=%JAVA_OPTS% -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djdk.tls.rejectClientInitiatedRenegotiation=true
 
 REM GC logging default values
 SET GC_LOG_DIR=%CRATE_HOME%\logs

diff --git a/docs/appendices/release-notes/5.7.2.rst b/docs/appendices/release-notes/5.7.2.rst
@@ -43,6 +43,12 @@ Version 5.7.2 - Unreleased
 See the :ref:`version_5.7.0` release notes for a full list of changes in the
 5.7 series.
 
+Security Fixes
+==============
+
+- Fixed a security issue allowing clients using TLS v1.2 to do client-initiated
+  renegotiation which can lead to DoS.
+
 Fixes
 =====