Apply 2372030 to 1.x except make default true so that it behaves as it did on 1.3.8 (synchronzed SSL handshakes)
Patch sent for community review. During a 2 week period any exploiter may comment on the patch, request changes or turn it down completely (with good reason). For the time being the patch is part of the "Experimental" branch in CVS.
File Added: 2372679-Exp-patch.txt
# If set to false, SSL handshakes are not synchronized. If set to true, SSL handshakes
# are synchronized as a workaround for an IBM JSSE problem with thread-safe handshakes.
# Type: Boolean
# Range: false, true
# Default: true
#synchronized.ssl.handshake = true
Patch against HEAD
File Added: 2372679-HEAD-patch.txt
The community review is completed and we received no substantial critisism. Therefore the patch has been approved and merged into the "HEAD" branch. The next release will pick it up.
The patch was picked up by release 1.3.8 and will be closed.