-
Enhancement
-
Resolution: Fixed
-
P3
-
None
-
b14
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8338163 | 23.0.2 | Prajwal Kumaraswamy | P3 | Resolved | Fixed | b01 |
| JDK-8339734 | 23.0.1 | Ravi Reddy | P3 | Closed | Fixed | b09 |
| JDK-8338162 | 21.0.6-oracle | Prajwal Kumaraswamy | P3 | Resolved | Fixed | b01 |
| JDK-8339907 | 21.0.6 | Goetz Lindenmaier | P3 | Resolved | Fixed | b01 |
| JDK-8339650 | 21.0.5-oracle | Prajwal Kumaraswamy | P3 | Closed | Fixed | b08 |
| JDK-8339707 | 21.0.5 | Goetz Lindenmaier | P3 | Resolved | Fixed | b07 |
| JDK-8338164 | 17.0.14-oracle | Prajwal Kumaraswamy | P3 | Resolved | Fixed | b01 |
| JDK-8339911 | 17.0.14 | Goetz Lindenmaier | P3 | Resolved | Fixed | b01 |
| JDK-8339652 | 17.0.13-oracle | Prajwal Kumaraswamy | P3 | Closed | Fixed | b09 |
| JDK-8339708 | 17.0.13 | Goetz Lindenmaier | P3 | Resolved | Fixed | b07 |
| JDK-8338165 | 11.0.26-oracle | Prajwal Kumaraswamy | P3 | Resolved | Fixed | b01 |
| JDK-8339915 | 11.0.26 | Goetz Lindenmaier | P3 | Resolved | Fixed | b01 |
| JDK-8339654 | 11.0.25-oracle | Prajwal Kumaraswamy | P3 | Closed | Fixed | b08 |
| JDK-8339706 | 11.0.25 | Goetz Lindenmaier | P3 | Resolved | Fixed | b06 |
| JDK-8341380 | openjdk8u442 | Francisco Ferrari Bihurriet | P3 | Resolved | Fixed | b01 |
| JDK-8340530 | openjdk8u432 | Francisco Ferrari Bihurriet | P3 | Resolved | Fixed | b05 |
| JDK-8338166 | 8u441 | Prajwal Kumaraswamy | P3 | Resolved | Fixed | b01 |
| JDK-8339655 | 8u431 | Prajwal Kumaraswamy | P3 | Closed | Fixed | b09 |
| JDK-8338167 | 7u451 | Prajwal Kumaraswamy | P3 | Resolved | Fixed | b01 |
| JDK-8339656 | 7u441 | Prajwal Kumaraswamy | P3 | Closed | Fixed | b07 |
This enhancement will implement similar restrictions in the JDK.
The restrictions will be enforced in the SunJSSE Provider of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate's notBefore date is after October 31, 2024. An application will receive an Exception with a message indicating the trust anchor (root) is not trusted, ex:
"TLS Server certificate issued after 2024-10-31 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net"
If necessary, you can work around the restrictions by removing "ENTRUST_TLS" from the "jdk.security.caDistrustPolicies" security property.
The restrictions will be imposed on the following Entrust Root certificates (identified by Distinguished Name) included in the JDK (note that AffirmTrust are Entrust CAs):
1. CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.",
OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
2. CN=Entrust Root Certification Authority - EC1, OU="(c) 2012 Entrust, Inc. - for authorized use only",
OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
3. CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only",
OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
4. CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only",
OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
5. CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited,
OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
6. CN=AffirmTrust Commercial, O=AffirmTrust, C=US
7. CN=AffirmTrust Networking, O=AffirmTrust, C=US
8. CN=AffirmTrust Premium, O=AffirmTrust, C=US
9. CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
[1] https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html
[2] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/jCvkhBjg9Yw
- backported by
-
JDK-8338162 Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- csr for
-
JDK-8339194 Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
-
- Closed
-
- relates to
-
JDK-8340414 [8u] Use an internal listOf & setOf when backporting List.of & Set.of
-
- Open
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- links to
-
Commit(master)
openjdk/jdk8u/39221f82
-
Commit(master)
openjdk/jdk11u/90ad5b18
-
Commit(master)
openjdk/jdk17u/aa46c353
-
Commit(master)
openjdk/jdk21u/0b340d1d
-
Commit(master)
openjdk/jdk23u/7d49c522
-
Commit(master)
openjdk/jdk/bbb51616
-
Review(master)
openjdk/jdk8u/61
-
Review(master)
openjdk/jdk11u/95
-
Review(master)
openjdk/jdk17u/396
-
Review(master)
openjdk/jdk21u/451
-
Review(master)
openjdk/jdk23u/91
-
Review(master)
openjdk/jdk/20731