[jdk11u-dev] RFR: 8263188: JSSE should fail fast if there isn't supported signature algorithm [v2]

Severin Gehwolf sgehwolf at openjdk.org
Thu Dec 4 17:42:08 UTC 2025 

On Thu, 4 Dec 2025 10:15:51 GMT, Antonio Vieiro <avieiro at openjdk.org> wrote:

>> Clean backport of [JDK-8263188](https://bugs.openjdk.org/browse/JDK-8263188) to JDK11. 
>> 
>> It will make it easier to backport and review  [JDK-8349583](https://bugs.openjdk.org/browse/JDK-8349583) and [JDK-8340321](https://bugs.openjdk.org/browse/JDK-8340321) , so OpenJDK 11 [follows the Oracle JRE and JDK Cryptographic Roadmap on 2026/01](https://www.java.com/en/jre-jdk-cryptoroadmap.html) by disabling SHA-1 in TLS/DTLS 1.2 handshake signatures.
>> 
>> Since JDK11 does not sport the `ByteBuffer.slice(int, int)` method in JDK17 (used in `test/jdk/sun/security/ssl/SignatureScheme/SigAlgosExtTestWithTLS12.java`), a second commit adds an equivalent and updates the test.
>> 
>> Tested on Linux with `tier1` tests:
>> 
>> 
>> ==============================
>> Test summary
>> ==============================
>>    TEST                                              TOTAL  PASS  FAIL ERROR   
>>    jtreg:test/hotspot/jtreg:tier1                     1497  1497     0     0   
>>    jtreg:test/jdk:tier1                               1899  1899     0     0   
>>    jtreg:test/langtools:tier1                         3941  3941     0     0   
>>    jtreg:test/nashorn:tier1                              0     0     0     0   
>>    jtreg:test/jaxp:tier1                                 0     0     0     0   
>> ==============================
>> TEST SUCCESS
>> 
>> 
>> Also security tests (including new ones) pass:
>> 
>> 
>> ==============================
>> Test summary
>> ==============================
>>    TEST                                              TOTAL  PASS  FAIL ERROR   
>>    jtreg:test/jdk/sun/security                         664   664     0     0   
>> ==============================
>> TEST SUCCESS
>
> Antonio Vieiro has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains two commits:
> 
>  - ByteBuffer.slice(int,int) for JDK11
>  - Backport 99b4bab3

Looks good. Please update the copyright since another change happend since and there is no `THL A29 Limited` in other copyright notices anymore.

test/jdk/sun/security/ssl/SignatureScheme/SigAlgosExtTestWithTLS12.java line 2:

> 1: /*
> 2:  * Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.

Suggestion:

 * Copyright (C) 2021, Tencent. All rights reserved.


Note that [JDK-8364597](https://bugs.openjdk.org/browse/JDK-8364597) has been brought to JDK 11 since. We should keep it aligned.

test/jdk/sun/security/ssl/SignatureScheme/SigAlgosExtTestWithTLS13.java line 2:

> 1: /*
> 2:  * Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.

Suggestion:

 * Copyright (C) 2021, Tencent. All rights reserved.


Same here.

-------------

PR Review: https://git.openjdk.org/jdk11u-dev/pull/3126#pullrequestreview-3540087195
PR Review Comment: https://git.openjdk.org/jdk11u-dev/pull/3126#discussion_r2589122931
PR Review Comment: https://git.openjdk.org/jdk11u-dev/pull/3126#discussion_r2589126377

More information about the jdk-updates-dev mailing list