Loading...

XML

Word

Printable

Subcomponent:
javax.net.ssl
Resolved In Build:
b08

Issue	Fix Version	Assignee	Priority	Status	Resolution	Resolved In Build
JDK-8348521	24.0.2	Antonio Vieiro	P3	Resolved	Fixed	b01
JDK-8349879	24.0.1	Nibedita Jena	P3	Resolved	Fixed	b06
JDK-8348522	21.0.8-oracle	Prasadarao Koppula	P3	Resolved	Fixed	b01
JDK-8349696	21.0.7-oracle	Prasadarao Koppula	P3	Resolved	Fixed	b06
JDK-8349870	21.0.7	Andrew Hughes	P3	Resolved	Fixed	b03
JDK-8348523	17.0.16-oracle	Prasadarao Koppula	P3	Resolved	Fixed	b01
JDK-8349693	17.0.15-oracle	Prasadarao Koppula	P3	Resolved	Fixed	b07
JDK-8349994	17.0.15	Severin Gehwolf	P3	Resolved	Fixed	b03
JDK-8348524	11.0.28-oracle	Prasadarao Koppula	P3	Resolved	Fixed	b01
JDK-8349695	11.0.27-oracle	Prasadarao Koppula	P3	Resolved	Fixed	b06
JDK-8350116	11.0.27	Severin Gehwolf	P3	Resolved	Fixed	b02
JDK-8352402	openjdk8u462	Severin Gehwolf	P3	Resolved	Fixed	b01
JDK-8352024	openjdk8u452	Severin Gehwolf	P3	Resolved	Fixed	b06
JDK-8361015	shenandoah8u452	Severin Gehwolf	P3	Resolved	Fixed	b06
JDK-8348525	8u461	Prasadarao Koppula	P3	Resolved	Fixed	b01
JDK-8349694	8u451	Prasadarao Koppula	P3	Resolved	Fixed	b06
JDK-8349697	7u461	Prasadarao Koppula	P3	Resolved	Fixed	b05

TLS server certificates anchored by Camerfirma Root CAs are distrusted or distrusted after a specific date by Google [1], Mozilla [2], Apple [3], and Microsoft [4, 5].

This enhancement will implement similar restrictions in the JDK.

The restrictions will be enforced in the SunJSSE Provider of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate's notBefore date is after April 15, 2025. An application will receive an Exception with a message indicating the trust anchor (root) is not trusted, ex:

"TLS Server certificate issued after April 15, 2025 and anchored by a distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU"

If necessary, you can work around the restrictions by removing "CAMERFIRMA_TLS" from the "jdk.security.caDistrustPolicies" security property.

The restrictions will be imposed on the following Camerfirma Root certificates (identified by Distinguished Name) included in the JDK:

1. CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
2. CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
3. CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

[1] https://groups.google.com/g/mozilla.dev.security.policy/c/dSeD3dgnpzk/m/iAUwcFioAQAJ
[2] https://groups.google.com/g/mozilla.dev.security.policy/c/PnAAWnxyosM/m/cImb78jnBAAJ
[3] https://support.apple.com/en-us/121668
[4] https://learn.microsoft.com/en-us/security/trusted-root/2023/feb2023
[5] https://learn.microsoft.com/en-us/security/trusted-root/2024/feb2024

backported by

JDK-8348521 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8348522 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8348523 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8348524 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8348525 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8349693 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8349694 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8349695 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8349696 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8349697 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8349870 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8349879 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8349994 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8350116 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8352024 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8352402 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

JDK-8361015 Distrust TLS server certificates anchored by Camerfirma Root CAs

Resolved

csr for

JDK-8347738 Distrust TLS server certificates anchored by Camerfirma Root CAs

Closed

relates to

JDK-8350498 Remove two Camerfirma root CA certificates

Resolved

links to

Commit(master) openjdk/jdk8u/41cefc71

Commit(master) openjdk/jdk11u-dev/8322c66e

Commit(master) openjdk/jdk17u-dev/f4bef2f2

Commit(master) openjdk/jdk21u-dev/eb824722

Commit(master) openjdk/jdk24u/d2262fe4

Commit(master) openjdk/jdk/907350e9

Review(master) openjdk/jdk8u/68

Review(master) openjdk/jdk11u-dev/2994

Review(master) openjdk/jdk17u-dev/3276

Review(master) openjdk/jdk21u-dev/1388

Review(master) openjdk/jdk24u/40

Review(master) openjdk/jdk/22985

Review(pr/626) openjdk/jdk8u-dev/627

(12 backported by, 1 csr for, 1 relates to, 13 links to)

Release Note: Distrust TLS Server Certificates Anchored by Camerfirma Root Certificates and Issued After April 15, 2025

Resolved

Mark Powers

Assignee:: Mark Powers

Reporter:: Sean Mullan

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2024-12-18 13:24

Updated:: 2025-10-07 05:33

Resolved:: 2025-01-24 15:07

Details

Backports

Description

Attachments

Issue Links

Sub-Tasks

Activity

People

Dates