Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8207258

Distrust TLS server certificates anchored by Symantec Root CAs

    XMLWordPrintable

Details

    Backports

      Description

        Google [1], Mozilla [2], Apple [3], and Microsoft [4] have previously announced plans to distrust TLS Server certificates issued by Symantec.

        This enhancement will implement similar restrictions in the JDK.

        Precise details are still being planned, but the restrictions will be enforced in the SunJSSE Provider of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities (and additional constraints such as the certificate notBefore date that will be later defined) in the table below. An application will receive an Exception with a message indicating the trust anchor (root) is not trusted, ex:

           "TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US"

        If necessary, you can work around the restrictions by removing "SYMANTEC_TLS" from the "jdk.security.caDistrustPolicies" security property.

        The restrictions will be imposed on the following Symantec Root certificates (identified by Distinguished Name) included in the JDK (note that GeoTrust, Thawte, and VeriSign are Symantec CAs):

        1. CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
        2. CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
        3. CN=GeoTrust Primary Certification Authority - G2,
            OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
        4. CN=GeoTrust Primary Certification Authority - G3,
            OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
        5. CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
        6. CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only",
            OU=Certification Services Division, O="thawte, Inc.", C=US
        7. CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only",
            O="thawte, Inc.", C=US
        8. CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only",
            OU=Certification Services Division, O="thawte, Inc.", C=US
        9. EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA,
            OU=Certification Services Division, O=Thawte Consulting cc,
            L=Cape Town, ST=Western Cape, C=ZA
        10. OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only",
              OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
        11. OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
        12. OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only",
              OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
        13. CN=VeriSign Class 3 Public Primary Certification Authority - G3,
              OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network,
              O="VeriSign, Inc.", C=US
        14. CN=VeriSign Class 3 Public Primary Certification Authority - G4,
              OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network,
              O="VeriSign, Inc.", C=US
        15. CN=VeriSign Class 3 Public Primary Certification Authority - G5,
              OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network,
              O="VeriSign, Inc.", C=US
        16. CN=VeriSign Universal Root Certification Authority,
              OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network,
              O="VeriSign, Inc.", C=US

        [1] https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
        [2] https://wiki.mozilla.org/CA:Symantec_Issues
        [3] https://support.apple.com/en-us/HT208860
        [4] https://cloudblogs.microsoft.com/microsoftsecure/2018/10/04/microsoft-partners-with-digicert-to-begin-deprecating-symantec-tls-certificates/

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8215234 Distrust TLS server certificates anchored by Symantec Root CAs

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8215235 Distrust TLS server certificates anchored by Symantec Root CAs

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8215236 Distrust TLS server certificates anchored by Symantec Root CAs

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8216171 Distrust TLS server certificates anchored by Symantec Root CAs

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8217665 Distrust TLS server certificates anchored by Symantec Root CAs

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8219451 Distrust TLS server certificates anchored by Symantec Root CAs

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8219953 Distrust TLS server certificates anchored by Symantec Root CAs

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8221034 Distrust TLS server certificates anchored by Symantec Root CAs

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8222656 Distrust TLS server certificates anchored by Symantec Root CAs

            • P3 - Major loss of function.
            • Resolved
            relates to

            Bug - A problem which impairs or prevents the functions of the product. JDK-8216280 Allow later Symantec Policy distrust date for two Apple SubCAs

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. JDK-8216280 Allow later Symantec Policy distrust date for two Apple SubCAs

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed
            There are no Sub-Tasks for this issue.

            Activity

              People

                mullan Sean Mullan
                mullan Sean Mullan
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: