[jdk11u-dev] RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope
Antonio Vieiro
avieiro at openjdk.org
Fri Dec 5 11:59:23 UTC 2025
Backport of [JDK-8349583](https://bugs.openjdk.org/browse/JDK-8349583) from [JDK17](https://github.com/openjdk/jdk17u-dev/commit/fe850da38a3fc0c9ce6cf9348efca3c846e97143), a first step to [disable SHA-1 in TLS/DTLS 1.2 handshake signatures](https://www.java.com/en/configure_crypto.html#DisableSHA1_TLS_DTLS) to comply with the [Oracle JRE Cryptographic Roadmap](https://www.java.com/en/jre-jdk-cryptoroadmap.html), to be followed with [JDK-8340321](https://bugs.openjdk.org/browse/JDK-8340321).
Backport is not clean, as there're significant changes from JDK17.
To ease review, three additional commits adapt the backport to JDK11, which is missing JDK-8284047 (2nd commit) and JDK-8288209 (3rd commit). Also JDK11 is missing `ByteBuffer.slice(byte[], int, int)` (4th commit).
Tested on Linux with `tier1` tests and with `run-test-jdk_security`:
==============================
Test summary
==============================
TEST TOTAL PASS FAIL ERROR
jtreg:test/jdk:jdk_security 1365 1365 0 0
==============================
TEST SUCCESS
-------------
Depends on: https://git.openjdk.org/jdk11u-dev/pull/3126
Commit messages:
- Fix: JDK11 lacks ByteBuffer.slice(byte[], int, int)
- Because JDK-8284047 is not backported to 11
- Because JDK-8288209 is not backported to 11
- Backport fe850da38a3fc0c9ce6cf9348efca3c846e97143
Changes: https://git.openjdk.org/jdk11u-dev/pull/3130/files
Webrev: https://webrevs.openjdk.org/?repo=jdk11u-dev&pr=3130&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8349583
Stats: 1063 lines in 20 files changed: 931 ins; 19 del; 113 mod
Patch: https://git.openjdk.org/jdk11u-dev/pull/3130.diff
Fetch: git fetch https://git.openjdk.org/jdk11u-dev.git pull/3130/head:pull/3130
PR: https://git.openjdk.org/jdk11u-dev/pull/3130
More information about the jdk-updates-dev
mailing list