Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8346587

Distrust TLS server certificates anchored by Camerfirma Root CAs

XMLWordPrintable

      TLS server certificates anchored by Camerfirma Root CAs are distrusted or distrusted after a specific date by Google [1], Mozilla [2], Apple [3], and Microsoft [4, 5].

      This enhancement will implement similar restrictions in the JDK.

      The restrictions will be enforced in the SunJSSE Provider of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate's notBefore date is after April 15, 2025. An application will receive an Exception with a message indicating the trust anchor (root) is not trusted, ex:

         "TLS Server certificate issued after April 15, 2025 and anchored by a distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU"

      If necessary, you can work around the restrictions by removing "CAMERFIRMA_TLS" from the "jdk.security.caDistrustPolicies" security property.

      The restrictions will be imposed on the following Camerfirma Root certificates (identified by Distinguished Name) included in the JDK:

      1. CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
      2. CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
      3. CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

      [1] https://groups.google.com/g/mozilla.dev.security.policy/c/dSeD3dgnpzk/m/iAUwcFioAQAJ
      [2] https://groups.google.com/g/mozilla.dev.security.policy/c/PnAAWnxyosM/m/cImb78jnBAAJ
      [3] https://support.apple.com/en-us/121668
      [4] https://learn.microsoft.com/en-us/security/trusted-root/2023/feb2023
      [5] https://learn.microsoft.com/en-us/security/trusted-root/2024/feb2024

            mpowers Mark Powers
            mullan Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: