-
Enhancement
-
Resolution: Fixed
-
P3
-
None
-
b08
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8348521 | 24.0.2 | Antonio Vieiro | P3 | Resolved | Fixed | b01 |
JDK-8349879 | 24.0.1 | Nibedita Jena | P3 | Resolved | Fixed | b06 |
JDK-8348522 | 21.0.8-oracle | Prasadarao Koppula | P3 | Resolved | Fixed | b01 |
JDK-8349696 | 21.0.7-oracle | Prasadarao Koppula | P3 | Resolved | Fixed | b06 |
JDK-8349870 | 21.0.7 | Andrew Hughes | P3 | Resolved | Fixed | b03 |
JDK-8348523 | 17.0.16-oracle | Prasadarao Koppula | P3 | Resolved | Fixed | b01 |
JDK-8349693 | 17.0.15-oracle | Prasadarao Koppula | P3 | Resolved | Fixed | b07 |
JDK-8349994 | 17.0.15 | Severin Gehwolf | P3 | Resolved | Fixed | b03 |
JDK-8348524 | 11.0.28-oracle | Prasadarao Koppula | P3 | Resolved | Fixed | b01 |
JDK-8349695 | 11.0.27-oracle | Prasadarao Koppula | P3 | Resolved | Fixed | b06 |
JDK-8350116 | 11.0.27 | Severin Gehwolf | P3 | Resolved | Fixed | b02 |
JDK-8352402 | openjdk8u462 | Severin Gehwolf | P3 | Resolved | Fixed | b01 |
JDK-8352024 | openjdk8u452 | Severin Gehwolf | P3 | Resolved | Fixed | b06 |
JDK-8361015 | shenandoah8u452 | Severin Gehwolf | P3 | Resolved | Fixed | b06 |
JDK-8348525 | 8u461 | Prasadarao Koppula | P3 | Resolved | Fixed | b01 |
JDK-8349694 | 8u451 | Prasadarao Koppula | P3 | Resolved | Fixed | b06 |
JDK-8349697 | 7u461 | Prasadarao Koppula | P3 | Resolved | Fixed | b05 |
This enhancement will implement similar restrictions in the JDK.
The restrictions will be enforced in the SunJSSE Provider of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate's notBefore date is after April 15, 2025. An application will receive an Exception with a message indicating the trust anchor (root) is not trusted, ex:
"TLS Server certificate issued after April 15, 2025 and anchored by a distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU"
If necessary, you can work around the restrictions by removing "CAMERFIRMA_TLS" from the "jdk.security.caDistrustPolicies" security property.
The restrictions will be imposed on the following Camerfirma Root certificates (identified by Distinguished Name) included in the JDK:
1. CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
2. CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
3. CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
[1] https://groups.google.com/g/mozilla.dev.security.policy/c/dSeD3dgnpzk/m/iAUwcFioAQAJ
[2] https://groups.google.com/g/mozilla.dev.security.policy/c/PnAAWnxyosM/m/cImb78jnBAAJ
[3] https://support.apple.com/en-us/121668
[4] https://learn.microsoft.com/en-us/security/trusted-root/2023/feb2023
[5] https://learn.microsoft.com/en-us/security/trusted-root/2024/feb2024
- backported by
-
JDK-8348521 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8348522 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8348523 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8348524 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8348525 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8349693 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8349694 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8349695 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8349696 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8349697 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8349870 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8349879 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8349994 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8350116 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8352024 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8352402 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
JDK-8361015 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
- csr for
-
JDK-8347738 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Closed
-
- relates to
-
JDK-8350498 Remove two Camerfirma root CA certificates
-
- Resolved
-
- links to
-
Commit(master) openjdk/jdk8u/41cefc71
-
Commit(master) openjdk/jdk11u-dev/8322c66e
-
Commit(master) openjdk/jdk17u-dev/f4bef2f2
-
Commit(master) openjdk/jdk21u-dev/eb824722
-
Commit(master) openjdk/jdk24u/d2262fe4
-
Commit(master) openjdk/jdk/907350e9
-
Review(master) openjdk/jdk8u/68
-
Review(master) openjdk/jdk11u-dev/2994
-
Review(master) openjdk/jdk17u-dev/3276
-
Review(master) openjdk/jdk21u-dev/1388
-
Review(master) openjdk/jdk24u/40
-
Review(master) openjdk/jdk/22985
-
Review(pr/626) openjdk/jdk8u-dev/627