Sun Java System Web Server 6.1 SP12/SP13 Release Notes

Features and Enhancements in 6.1 SP12

Web Server 6.1 SP12 now bundles JDK 1.6.0_17 on Solaris, Linux and Windows platforms. Web Server 6.1 SP12 still supports JDK 5 for backward compatibility. For more information on the supported versions for individual platforms, see J2SE and Java SE Support.

This release contains fixes of important bugs, including the following ones related to security vulnerabilities:

SSL/TLS Vulnerability Fix (CVE-2009-3555)

Web Server 6.1 SP12 is upgraded to include NSS 3.12.5 which provides relief for the SSL/TLS renegotiation vulnerability:

This vulnerability is a flaw in the current SSL/TLS renegotiation protocol definition. It is not a bug in the Web Server implementation. Due to this reason, there is no implementation-level fix for this vulnerability. The only workaround is to disable renegotiation entirely in order to protect the Web Server from attack.

Therefore, Web Server 6.1 SP12 disables all use of SSL/TLS renegotiation. If either the client or the Web Server attempt to trigger renegotiation on an existing SSL/TLS session, the connection will fail.

Typically renegotiation was used to obtain a client certificate sometime after the SSL/TLS connection was first established. Web applications which attempt to obtain a client certificate in this fashion will now fail.

Obtaining a client certificate during the initial connection handshake will continue to work correctly. This mode can be configured by setting the client-auth element to 'required' in server.xml:


A future update of Web Server 6.1 will implement a safe renegotiation protocol as soon as the IETF finalizes the design of the new protocol enhancement. It is possible to re-enable the vulnerable SSL/TLS renegotiation capability by setting the environment variable: NSS_SSL_ENABLE_RENEGOTIATION=1. This mode is known to be vulnerable to attack as described in CVE-2009-3555.