[jdk8u] RFR: 8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs [v2]
Severin Gehwolf
sgehwolf at openjdk.org
Thu Sep 12 19:45:16 UTC 2024
On Thu, 12 Sep 2024 19:33:33 GMT, Francisco Ferrari Bihurriet <fferrari at openjdk.org> wrote:
>> jdk/src/share/classes/sun/security/validator/EntrustTLSPolicy.java line 49:
>>
>>> 47:
>>> 48: // SHA-256 certificate fingerprints of distrusted roots
>>> 49: private static final Set<String> FINGERPRINTS = new HashSet<>(Arrays.asList(
>>
>> Suggestion:
>>
>> private static final Set<String> FINGERPRINTS = Collections.unmodifiableSet(new HashSet<>(Arrays.asList(...)));
>
> Updated in e96486dc7adf8fd65a398490d30d44cfbb86df4c, please note that the `SYMANTEC_TLS` distrust policy (which I checked for this backport) does not make the `FINGERPRINTS` set immutable either:
>
> https://github.com/openjdk/jdk8u/blob/e32d62e2a39510f643b32d615e76f0ff9be3d9f3/jdk/src/share/classes/sun/security/validator/SymantecTLSPolicy.java#L66-L70
>
> Should we also update `SymantecTLSPolicy.java`?
Thanks!
> Should we also update `SymantecTLSPolicy.java`?
No, not in this bug. Feel free to do this as an 8u-only fix via jdk8u-dev pr. The original backport to 8 of https://bugs.openjdk.org/browse/JDK-8207258 didn't do this. That's one of the gotchas of `Set.of()` backports. It's not terribly important.
-------------
PR Review Comment: https://git.openjdk.org/jdk8u/pull/61#discussion_r1757485768
More information about the jdk8u-dev
mailing list