Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8337664

Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs

XMLWordPrintable

      Google [1] and Mozilla [2] have announced plans to distrust TLS Server certificates issued by Entrust.

      This enhancement will implement similar restrictions in the JDK.

      The restrictions will be enforced in the SunJSSE Provider of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate's notBefore date is after October 31, 2024. An application will receive an Exception with a message indicating the trust anchor (root) is not trusted, ex:

         "TLS Server certificate issued after 2024-10-31 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net"

      If necessary, you can work around the restrictions by removing "ENTRUST_TLS" from the "jdk.security.caDistrustPolicies" security property.

      The restrictions will be imposed on the following Entrust Root certificates (identified by Distinguished Name) included in the JDK (note that AffirmTrust are Entrust CAs):

      1. CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.",
          OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
      2. CN=Entrust Root Certification Authority - EC1, OU="(c) 2012 Entrust, Inc. - for authorized use only",
          OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
      3. CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only",
          OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
      4. CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only",
          OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
      5. CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited,
          OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
      6. CN=AffirmTrust Commercial, O=AffirmTrust, C=US
      7. CN=AffirmTrust Networking, O=AffirmTrust, C=US
      8. CN=AffirmTrust Premium, O=AffirmTrust, C=US
      9. CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US

      [1] https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html
      [2] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/jCvkhBjg9Yw

        There are no Sub-Tasks for this issue.

            mpowers Mark Powers
            mullan Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            16 Start watching this issue

              Created:
              Updated:
              Resolved: