[jdk21u-dev] Integrated: 8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled

Goetz Lindenmaier goetz at openjdk.org
Mon Sep 1 11:40:47 UTC 2025


On Wed, 13 Aug 2025 12:46:58 GMT, Goetz Lindenmaier <goetz at openjdk.org> wrote:

> I backport this for parity with 21.0.9-oracle.
> 
> Resolved one copyright. It is already at 2025.
> 
> But test MD5NotAllowedInTLS13CertificateSignature.java is failing.
> It throws ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0
> 	at MD5NotAllowedInTLS13CertificateSignature.lambda$main$1(MD5NotAllowedInTLS13CertificateSignature.java:100)
> 
> It expects an array of length 1 containing the exception javax.net.ssl.SSLHandshakeException: (bad_certificate) PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: MD5withRSA
> 
> All other testing, i.e. our nighlties and the tests touched here, pass.

This pull request has now been integrated.

Changeset: 1cdf8f54
Author:    Goetz Lindenmaier <goetz at openjdk.org>
URL:       https://git.openjdk.org/jdk21u-dev/commit/1cdf8f5497f2b986c13a1c263d806a31d67fe015
Stats:     481 lines in 16 files changed: 299 ins; 130 del; 52 mod

8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled

Reviewed-by: mbaesken
Backport-of: abb23828f9dc5f4cdb75d5b924dd6f45925102cd

-------------

PR: https://git.openjdk.org/jdk21u-dev/pull/2085


More information about the jdk-updates-dev mailing list