6 SR7 and later release should contain the fix for the CVE-2009-3555 issue.
However, when I'm running a Tomcat HTTPS server with the JRE6 SR8 FP1, it turns out that the HTTPS server served by the IBM JSSE doesn't support the TLS renegotiation extension. I'm detecting the support for TLS secure renegotiation in Chrome.
Meanwhile, when I'm doing the same test with Oracle JRE version 1.6.0_22-b04, in Chrome it shows that the Tomcat HTTPS server does support the TLS secure renegotiation.
- IBM Java Version in test is:
java version "1.6.0"
Java(TM) SE Runtime Environment (build pap6460sr8fp1-20100624_01(SR8 FP1))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc64-64 jvmap6460sr8ifx-20100609_59383 (JIT enabled, AOT enabled)
J9VM - 20100609_059383
JIT - r9_20100401_15339ifx2
GC - 20100308_AA)
JCL - 20100624_01
- Oracle Java version in test is:
java version "1.6.0_22"
Java(TM) SE Runtime Environment (build 1.6.0_22-b04)
Java HotSpot(TM) Client VM (build 17.1-b03, mixed mode)