The original max-negotiate-time code was never a solution (which is why the original bug remains open) it is just a heuristic that works with the qpid implementation of amqp 0-10 (which is all we supported then).
The real issue with the current code is that there is no semantic object that exists from the point that the low level connection is accepted until the point that the connection is authenticated, which is when there is no longer any chance of an unauthenticated DoS. This object is what needs to hold the timeout code, not the low-level code which has, as Gordon correctly points out, no idea of the underlying semantics and shouldn't have any idea of it.
The only solution that I can see that can be made to work is to refactor the Connection object creation so that it happens much earlier in the accepting a connection process and for the Connection object to hold the timeout logic. However this object is currently created as part of the process of making the codec for the specific protocol and so the refactor is larger than I'd wish.
Any other suggestions welcome.