-
Enhancement
-
Resolution: Fixed
-
P3
-
None
-
b08
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8348521 | 24.0.2 | Antonio Vieiro | P3 | Resolved | Fixed | master |
| JDK-8349879 | 24.0.1 | Nibedita Jena | P3 | Resolved | Fixed | b06 |
| JDK-8348522 | 21.0.8-oracle | Prasadarao Koppula | P3 | Resolved | Fixed | master |
| JDK-8349696 | 21.0.7-oracle | Prasadarao Koppula | P3 | Resolved | Fixed | b06 |
| JDK-8349870 | 21.0.7 | Andrew Hughes | P3 | Resolved | Fixed | b03 |
| JDK-8348523 | 17.0.16-oracle | Prasadarao Koppula | P3 | Resolved | Fixed | master |
| JDK-8349693 | 17.0.15-oracle | Prasadarao Koppula | P3 | Resolved | Fixed | b07 |
| JDK-8349994 | 17.0.15 | Severin Gehwolf | P3 | Resolved | Fixed | b03 |
| JDK-8348524 | 11.0.28-oracle | Prasadarao Koppula | P3 | Resolved | Fixed | master |
| JDK-8349695 | 11.0.27-oracle | Prasadarao Koppula | P3 | Resolved | Fixed | b06 |
| JDK-8350116 | 11.0.27 | Severin Gehwolf | P3 | Resolved | Fixed | b02 |
| JDK-8348525 | 8u461 | Prasadarao Koppula | P3 | Resolved | Fixed | master |
| JDK-8349694 | 8u451 | Prasadarao Koppula | P3 | Resolved | Fixed | b06 |
| JDK-8349697 | 7u461 | Prasadarao Koppula | P3 | Resolved | Fixed | b05 |
This enhancement will implement similar restrictions in the JDK.
The restrictions will be enforced in the SunJSSE Provider of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate's notBefore date is after <date TBD>. An application will receive an Exception with a message indicating the trust anchor (root) is not trusted, ex:
"TLS Server certificate issued after <date TBD> and anchored by a distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU"
If necessary, you can work around the restrictions by removing "CAMERFIRMA_TLS" from the "jdk.security.caDistrustPolicies" security property.
The restrictions will be imposed on the following Camerfirma Root certificates (identified by Distinguished Name) included in the JDK:
1. CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
2. CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
3. CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
[1] https://groups.google.com/g/mozilla.dev.security.policy/c/dSeD3dgnpzk/m/iAUwcFioAQAJ
[2] https://groups.google.com/g/mozilla.dev.security.policy/c/PnAAWnxyosM/m/cImb78jnBAAJ
[3] https://support.apple.com/en-us/121668
[4] https://learn.microsoft.com/en-us/security/trusted-root/2023/feb2023
[5] https://learn.microsoft.com/en-us/security/trusted-root/2024/feb2024
- backported by
-
JDK-8348521 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- csr for
-
JDK-8347738 Distrust TLS server certificates anchored by Camerfirma Root CAs
-
- Closed
-
- links to
-
Commit(master)
openjdk/jdk11u-dev/8322c66e
-
Commit(master)
openjdk/jdk17u-dev/f4bef2f2
-
Commit(master)
openjdk/jdk21u-dev/eb824722
-
Commit(master)
openjdk/jdk24u/d2262fe4
-
Commit(master)
openjdk/jdk/907350e9
-
Review(master)
openjdk/jdk8u/68
-
Review(master)
openjdk/jdk11u-dev/2994
-
Review(master)
openjdk/jdk17u-dev/3276
-
Review(master)
openjdk/jdk21u-dev/1388
-
Review(master)
openjdk/jdk24u/40
-
Review(master)
openjdk/jdk/22985
-
Review(pr/626)
openjdk/jdk8u-dev/627