--- a/jdk/src/share/classes/sun/security/ssl/Handshaker.java	Fri Dec 04 10:23:07 2009 -0800
+++ b/jdk/src/share/classes/sun/security/ssl/Handshaker.java	Mon Dec 07 21:16:41 2009 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright 1996-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1996-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -60,9 +60,12 @@
  */
 abstract class Handshaker {
 
-    // current protocol version
+    // protocol version being established using this Handshaker
     ProtocolVersion protocolVersion;
 
+    // the currently active protocol version during a renegotiation
+    ProtocolVersion     activeProtocolVersion;
+
     // list of enabled protocols
     ProtocolList enabledProtocols;
 
@@ -124,6 +127,13 @@
     /* Class and subclass dynamic debugging support */
     static final Debug debug = Debug.getInstance("ssl");
 
+    // By default, disable the unsafe legacy session renegotiation
+    static final boolean renegotiable = Debug.getBooleanProperty(
+                    "sun.security.ssl.allowUnsafeRenegotiation", false);
+
+    // need to dispose the object when it is invalidated
+    boolean invalidated;
+
     Handshaker(SSLSocketImpl c, SSLContextImpl context,
             ProtocolList enabledProtocols, boolean needCertVerify,
             boolean isClient) {
@@ -144,6 +154,7 @@
         this.sslContext = context;
         this.isClient = isClient;
         enableNewSession = true;
+        invalidated = false;
 
         setCipherSuite(CipherSuite.C_NULL);
 
@@ -489,7 +500,9 @@
      */
     void processLoop() throws IOException {
 
-        while (input.available() > 0) {
+        // need to read off 4 bytes at least to get the handshake
+        // message type and length.
+        while (input.available() >= 4) {
             byte messageType;
             int messageLen;