[jdk8u] RFR: 8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs [v2]
Andrew John Hughes
andrew at openjdk.org
Wed Sep 18 17:33:09 UTC 2024
On Thu, 12 Sep 2024 19:41:33 GMT, Severin Gehwolf <sgehwolf at openjdk.org> wrote:
>> Updated in e96486dc7adf8fd65a398490d30d44cfbb86df4c, please note that the `SYMANTEC_TLS` distrust policy (which I checked for this backport) does not make the `FINGERPRINTS` set immutable either:
>>
>> https://github.com/openjdk/jdk8u/blob/e32d62e2a39510f643b32d615e76f0ff9be3d9f3/jdk/src/share/classes/sun/security/validator/SymantecTLSPolicy.java#L66-L70
>>
>> Should we also update `SymantecTLSPolicy.java`?
>
> Thanks!
>
>> Should we also update `SymantecTLSPolicy.java`?
>
> No, not in this bug. Feel free to do this as an 8u-only fix via jdk8u-dev pr. The original backport to 8 of https://bugs.openjdk.org/browse/JDK-8207258 didn't do this. That's one of the gotchas of `Set.of()` backports. It's not terribly important.
This is a common case, as Severin implies. For the test library, we added internal versions of the `listOf` and `setOf` methods to better handle this. It has the advantage that the same error checking (null values, duplicates) is present as on the methods in later JDKs.
I can look at moving that to an internal JDK class instead to cover library cases, and fix the Symantec case then. No reason to delay this critical fix for that.
-------------
PR Review Comment: https://git.openjdk.org/jdk8u/pull/61#discussion_r1765447744
More information about the jdk8u-dev
mailing list