[jdk11u-dev] RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope [v3]

Antonio Vieiro avieiro at openjdk.org
Mon Dec 22 16:12:10 UTC 2025 

On Mon, 22 Dec 2025 14:54:47 GMT, Antonio Vieiro <avieiro at openjdk.org> wrote:

>> Backport of [JDK-8349583](https://bugs.openjdk.org/browse/JDK-8349583) from [JDK17](https://github.com/openjdk/jdk17u-dev/commit/fe850da38a3fc0c9ce6cf9348efca3c846e97143), a first step to [disable SHA-1 in TLS/DTLS 1.2 handshake signatures](https://www.java.com/en/configure_crypto.html#DisableSHA1_TLS_DTLS)  to comply with the [Oracle JRE Cryptographic Roadmap](https://www.java.com/en/jre-jdk-cryptoroadmap.html), to be followed with [JDK-8340321](https://bugs.openjdk.org/browse/JDK-8340321).
>> 
>> Backport is not clean, as there're significant changes from JDK17. 
>> 
>> To ease review, three additional commits adapt the backport to JDK11, which is missing JDK-8284047 (2nd commit) and JDK-8288209 (3rd commit). Also JDK11 is missing `ByteBuffer.slice(int, int)` (4th commit).
>> 
>> Tested on Linux with `tier1` tests and with `run-test-jdk_security`:
>> 
>> 
>> ==============================
>> Test summary
>> ==============================
>>    TEST                                              TOTAL  PASS  FAIL ERROR   
>>    jtreg:test/jdk:jdk_security                        1365  1365     0     0   
>> ==============================
>> TEST SUCCESS
>
> Antonio Vieiro has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains eight commits:
> 
>  - Merge master (resolving conflicts)
>  - Fix: JDK11 lacks ByteBuffer.slice(byte[], int, int)
>  - Because JDK-8284047 is not backported to 11
>  - Because JDK-8288209 is not backported to 11
>  - Backport fe850da38a3fc0c9ce6cf9348efca3c846e97143
>  - 8364597: Replace THL A29 Limited with Tencent
>  - ByteBuffer.slice(int,int) for JDK11
>  - Backport 99b4bab3

Some tests fail. Let's keep this as draft for the moment.

Re-testing with `run-test-jdk_security` after the merge shows three errors:


==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR   
>> jtreg:test/jdk:jdk_security                        1367  1364     3     0 <<
==============================
TEST FAILURE


Namely:

- `javax/net/ssl/ciphersuites/DisabledAlgorithms.java`: Check if weak cipher suites are disabled
- `javax/net/ssl/ciphersuites/TLSWontNegotiateDisabledCipherAlgos.java#Client`: Verify that Java will not negotiate disabled cipher suites when the other side of the connection requests them.
- `javax/net/ssl/ciphersuites/TLSWontNegotiateDisabledCipherAlgos.java#Server`: Verify that Java will not negotiate disabled cipher suites when the other side of the connection requests them.

These errors are unrelated, and seem to have been [introduced in this recently closed PR](https://github.com/openjdk/jdk11u-dev/pull/3128#issuecomment-3682741838)

-------------

PR Comment: https://git.openjdk.org/jdk11u-dev/pull/3130#issuecomment-3682583228
PR Comment: https://git.openjdk.org/jdk11u-dev/pull/3130#issuecomment-3682744843

More information about the jdk-updates-dev mailing list