[jdk11u-dev] RFR: 8369282: Distrust TLS server certificates anchored by Chunghwa ePKI Root CA

Tue Feb 17 15:39:40 UTC 2026

Backport of [JDK-8369282](https://bugs.openjdk.org/browse/JDK-8369282) - Distrust TLS server certificates anchored by Chunghwa ePKI Root CA

### Extra changes

**`src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java:84`**

- return X509CertImpl.getFingerprint("SHA-256", cert, debug);
+ return X509CertImpl.getFingerprint("SHA-256", cert);

- method `getFingerprint()` accepts only two parameters in jdk11.

### Tests

Tests were run on Fedora 43.

#### Tier 1 - PASSES

==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR
   jtreg:test/hotspot/jtreg:tier1                     1530  1530     0     0
   jtreg:test/jdk:tier1                               1899  1899     0     0
   jtreg:test/langtools:tier1                         3941  3941     0     0
   jtreg:test/nashorn:tier1                              0     0     0     0
   jtreg:test/jaxp:tier1                                 0     0     0     0
==============================
TEST SUCCESS

#### `sun/security` - PASSES

==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR
   jtreg:test/jdk/sun/security                         665   665     0     0
==============================
TEST SUCCESS

#### GHA - PASSES

-------------

Commit messages:
 - backport e47690176cade6a6f8cf97059cfe914f5f67cd87

Changes: https://git.openjdk.org/jdk11u-dev/pull/3157/files
  Webrev: https://webrevs.openjdk.org/?repo=jdk11u-dev&pr=3157&range=00
  Issue: https://bugs.openjdk.org/browse/JDK-8369282
  Stats: 244 lines in 5 files changed: 242 ins; 0 del; 2 mod
  Patch: https://git.openjdk.org/jdk11u-dev/pull/3157.diff
  Fetch: git fetch https://git.openjdk.org/jdk11u-dev.git pull/3157/head:pull/3157

PR: https://git.openjdk.org/jdk11u-dev/pull/3157