[jdk11u-dev] RFR: 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs [v3]

duke duke at openjdk.org
Fri Feb 14 16:13:24 UTC 2025 

On Fri, 14 Feb 2025 10:44:29 GMT, Antonio Vieiro <duke at openjdk.org> wrote:

>> Almost clean backport of [JDK-8346587](https://bugs.openjdk.org/browse/JDK-8346587) to distrust TLS server certificates issued after April 15, 2025 and anchored by Camerfirma Root CAs.
>> 
>> This is on top of [this previous PR](https://github.com/openjdk/jdk11u-dev/pull/2993) for [JDK-8339560](https://bugs.openjdk.org/browse/JDK-8339560) ("Unaddressed comments during code review of JDK-8337664").
>> 
>> The backport is not completely clean because it required a change in line 98 of `CamerfirmaTLSPolicy.java` since [JDK-8270946](https://bugs.openjdk.org/browse/JDK-8270946) has not been backported to 11.
>> 
>> Passes `tier1` and `jdk/sun/security` tests:
>> 
>> 
>> ==============================
>> Test summary
>> ==============================
>>    TEST                                              TOTAL  PASS  FAIL ERROR   
>>    jtreg:test/hotspot/jtreg:tier1                     1497  1497     0     0   
>>    jtreg:test/jdk:tier1                               1899  1899     0     0   
>>    jtreg:test/langtools:tier1                         3941  3941     0     0   
>>    jtreg:test/nashorn:tier1                              0     0     0     0   
>>    jtreg:test/jaxp:tier1                                 0     0     0     0   
>> ==============================
>> TEST SUCCESS
>> 
>> 
>> ==============================
>> Test summary
>> ==============================
>>    TEST                                              TOTAL  PASS  FAIL ERROR   
>>    jtreg:test/jdk/sun/security                         657   657     0     0   
>> ==============================
>> TEST SUCCESS
>
> Antonio Vieiro has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
> 
>  - Merge master
>  - Backport f4bef2f24a9bb433b5693aa59bb81acac6b311f3
>  - Backport 6a3f208c0b32d90eb3853008301e680695d3ac28

@vieiro 
Your change (at version f78bb635d23ec7f6ff56aed062e88b580d4a4feb) is now ready to be sponsored by a Committer.

-------------

PR Comment: https://git.openjdk.org/jdk11u-dev/pull/2994#issuecomment-2659732370

More information about the jdk-updates-dev mailing list