-
Bug
-
Resolution: Fixed
-
P3
-
7
-
b15
-
generic
-
generic
-
Verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-2217551 | 7u4 | Xuelei Fan | P3 | Closed | Fixed | b06 |
JDK-8155172 | 6u131 | Sean Coffey | P3 | Resolved | Fixed | b01 |
JDK-8151490 | 6u121 | Sean Coffey | P3 | Resolved | Fixed | b02 |
JDK-8154773 | 6u115 | Sean Coffey | P3 | Resolved | Fixed | b32 |
In JDK 7, we have two types of trust managers, X509TrustManager and X509ExtendedTrustManager. X509ExtendedTrustManager is introduced in JDK 7 in order to support TLS 1.2. Oracle provider will use X509ExtendedTrustManager in JDK 7. Applications may still use X509TrustManager as the super class as their customized trust manager. For compatibility, we have to wrap these trust managers into X509ExtendedTrustManager so that they can work with TLS 1.2.
Additional constraints checks may be performed by the customized trust manager. But some other customized trust managers may not perform the constraints check in their implementation. So we may need the additional checking to ensure the wrapped trust manager also do the constraints checking properly, although it may have been done in the customized trust manager.
The issue here is that for customized trust manager, we also check the constraints for trust anchors. So when a trust anchor is MD2 algorithm signed, it will be denied by the wrapped trust manager.
Additional constraints checks may be performed by the customized trust manager. But some other customized trust managers may not perform the constraints check in their implementation. So we may need the additional checking to ensure the wrapped trust manager also do the constraints checking properly, although it may have been done in the customized trust manager.
The issue here is that for customized trust manager, we also check the constraints for trust anchors. So when a trust anchor is MD2 algorithm signed, it will be denied by the wrapped trust manager.
- backported by
-
JDK-8151490 compatibility issue with MD2 trust anchor and old X509TrustManager
- Resolved
-
JDK-8154773 compatibility issue with MD2 trust anchor and old X509TrustManager
- Resolved
-
JDK-8155172 compatibility issue with MD2 trust anchor and old X509TrustManager
- Resolved
-
JDK-2217551 compatibility issue with MD2 trust anchor and old X509TrustManager
- Closed
- relates to
-
JDK-7115524 Regression: keytool -printcert -sslserver failure
- Closed