[jdk11u-dev] RFR: 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs [v3]

Antonio Vieiro duke at openjdk.org
Fri Feb 14 10:44:29 UTC 2025 

> Almost clean backport of [JDK-8346587](https://bugs.openjdk.org/browse/JDK-8346587) to distrust TLS server certificates issued after April 15, 2025 and anchored by Camerfirma Root CAs.
> 
> This is on top of [this previous PR](https://github.com/openjdk/jdk11u-dev/pull/2993) for [JDK-8339560](https://bugs.openjdk.org/browse/JDK-8339560) ("Unaddressed comments during code review of JDK-8337664").
> 
> The backport is not completely clean because it required a change in line 98 of `CamerfirmaTLSPolicy.java` since [JDK-8270946](https://bugs.openjdk.org/browse/JDK-8270946) has not been backported to 11.
> 
> Passes `tier1` and `jdk/sun/security` tests:
> 
> 
> ==============================
> Test summary
> ==============================
>    TEST                                              TOTAL  PASS  FAIL ERROR   
>    jtreg:test/hotspot/jtreg:tier1                     1497  1497     0     0   
>    jtreg:test/jdk:tier1                               1899  1899     0     0   
>    jtreg:test/langtools:tier1                         3941  3941     0     0   
>    jtreg:test/nashorn:tier1                              0     0     0     0   
>    jtreg:test/jaxp:tier1                                 0     0     0     0   
> ==============================
> TEST SUCCESS
> 
> 
> ==============================
> Test summary
> ==============================
>    TEST                                              TOTAL  PASS  FAIL ERROR   
>    jtreg:test/jdk/sun/security                         657   657     0     0   
> ==============================
> TEST SUCCESS

Antonio Vieiro has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:

 - Merge master
 - Backport f4bef2f24a9bb433b5693aa59bb81acac6b311f3
 - Backport 6a3f208c0b32d90eb3853008301e680695d3ac28

-------------

Changes:
  - all: https://git.openjdk.org/jdk11u-dev/pull/2994/files
  - new: https://git.openjdk.org/jdk11u-dev/pull/2994/files/2c483da7..f78bb635

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk11u-dev&pr=2994&range=02
 - incr: https://webrevs.openjdk.org/?repo=jdk11u-dev&pr=2994&range=01-02

  Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod
  Patch: https://git.openjdk.org/jdk11u-dev/pull/2994.diff
  Fetch: git fetch https://git.openjdk.org/jdk11u-dev.git pull/2994/head:pull/2994

PR: https://git.openjdk.org/jdk11u-dev/pull/2994

More information about the jdk-updates-dev mailing list