[jdk11u-dev] RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope [v4]
Andrew John Hughes
andrew at openjdk.org
Wed Feb 18 18:52:50 UTC 2026
On Mon, 16 Feb 2026 16:02:10 GMT, Antonio Vieiro <avieiro at openjdk.org> wrote:
>> Backport of [JDK-8349583](https://bugs.openjdk.org/browse/JDK-8349583) from [JDK17](https://github.com/openjdk/jdk17u-dev/commit/fe850da38a3fc0c9ce6cf9348efca3c846e97143), a first step to [disable SHA-1 in TLS/DTLS 1.2 handshake signatures](https://www.java.com/en/configure_crypto.html#DisableSHA1_TLS_DTLS) to comply with the [Oracle JRE Cryptographic Roadmap](https://www.java.com/en/jre-jdk-cryptoroadmap.html), to be followed with [JDK-8340321](https://bugs.openjdk.org/browse/JDK-8340321).
>>
>> Backport is not clean, as there're significant changes from JDK17.
>>
>> To ease review, three additional commits adapt the backport to JDK11, which is missing JDK-8284047 (2nd commit) and JDK-8288209 (3rd commit). Also JDK11 is missing `ByteBuffer.slice(int, int)` (4th commit).
>>
>> Tested on Linux with `tier1` tests and with `run-test-jdk_security`:
>>
>>
>> ==============================
>> Test summary
>> ==============================
>> TEST TOTAL PASS FAIL ERROR
>> jtreg:test/jdk:jdk_security 1365 1365 0 0
>> ==============================
>> TEST SUCCESS
>
> Antonio Vieiro has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains nine commits:
>
> - Merge master
> - Merge master (resolving conflicts)
> - Fix: JDK11 lacks ByteBuffer.slice(byte[], int, int)
> - Because JDK-8284047 is not backported to 11
> - Because JDK-8288209 is not backported to 11
> - Backport fe850da38a3fc0c9ce6cf9348efca3c846e97143
> - 8364597: Replace THL A29 Limited with Tencent
> - ByteBuffer.slice(int,int) for JDK11
> - Backport 99b4bab3
* `CertificateRequest.java` seems to end up with a different diff in the 11u patch, but applying the patch locally shows that the end result is the same.
* `SessionTicketExtension.java` is absent due to the absence of [JDK-8211018](https://bugs.openjdk.org/browse/JDK-8211018) which, with a CSR, doesn't seem appropriate for backport
* `SignatureScheme.java` has a number of changes from 17u ([JDK-8259223](https://bugs.openjdk.org/browse/JDK-8259223), [JDK-8255867](https://bugs.openjdk.org/browse/JDK-8255867) & [JDK-8288209](https://bugs.openjdk.org/browse/JDK-8288209)) which are not present in 11u creating differences. The latter two are potential backport candidates but not requirements for this change.
* Neither `SSLEngineTemplate.java` nor `SigAlgosExtTestWithTLS12.java` where it is moved from are appropriate homes for the `ByteBuffer.slice` clone. This should be moved to the test library. under `test/jdk/lib/testlibrary`. I don't see an obvious generic home there yet, so I would suggest adding a `Utils.java`. Other non-SSL test code may need this in future backports.
* I agree with @jerboaa that the `AbstractCheckSignatureSchemes.java` changes can now be dropped.
* The missing `SigSchemePropOrdering.java`is from [JDK-8255867](https://bugs.openjdk.org/browse/JDK-8255867) mentioned above.
-------------
Changes requested by andrew (Reviewer).
PR Review: https://git.openjdk.org/jdk11u-dev/pull/3130#pullrequestreview-3821632865
More information about the jdk-updates-dev
mailing list