[jdk11u-dev] RFR: 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
Antonio Vieiro
duke at openjdk.org
Fri Feb 14 10:32:19 UTC 2025
On Thu, 13 Feb 2025 18:52:18 GMT, Antonio Vieiro <duke at openjdk.org> wrote:
> Almost clean backport of [JDK-8346587](https://bugs.openjdk.org/browse/JDK-8346587) to distrust TLS server certificates issued after April 15, 2025 and anchored by Camerfirma Root CAs.
>
> This is on top of [this previous PR](https://github.com/openjdk/jdk11u-dev/pull/2993) for [JDK-8339560](https://bugs.openjdk.org/browse/JDK-8339560) ("Unaddressed comments during code review of JDK-8337664").
>
> The backport is not completely clean because it required a change in line 98 of `CamerfirmaTLSPolicy.java` since [JDK-8270946](https://bugs.openjdk.org/browse/JDK-8270946) has not been backported to 11.
>
> Passes `tier1` and `jdk/sun/security` tests:
>
>
> ==============================
> Test summary
> ==============================
> TEST TOTAL PASS FAIL ERROR
> jtreg:test/hotspot/jtreg:tier1 1497 1497 0 0
> jtreg:test/jdk:tier1 1899 1899 0 0
> jtreg:test/langtools:tier1 3941 3941 0 0
> jtreg:test/nashorn:tier1 0 0 0 0
> jtreg:test/jaxp:tier1 0 0 0 0
> ==============================
> TEST SUCCESS
>
>
> ==============================
> Test summary
> ==============================
> TEST TOTAL PASS FAIL ERROR
> jtreg:test/jdk/sun/security 657 657 0 0
> ==============================
> TEST SUCCESS
- Test failures unrelated (see https://github.com/openjdk/jdk11u-dev/pull/2987).
- [JDK-8270946](https://bugs.openjdk.org/browse/JDK-8270946) could be backported too from [JDK-17](https://github.com/openjdk/jdk17u/commit/facbabb2032aabed0cb52cfcdc6894db1358edbf) but I think the risk is too high for just a single-line fix.
-------------
PR Comment: https://git.openjdk.org/jdk11u-dev/pull/2994#issuecomment-2658923174
More information about the jdk-updates-dev
mailing list