[jdk8u] Integrated: 8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
Francisco Ferrari Bihurriet
fferrari at openjdk.org
Fri Sep 20 10:47:49 UTC 2024
On Tue, 10 Sep 2024 20:55:35 GMT, Francisco Ferrari Bihurriet <fferrari at openjdk.org> wrote:
> Hi, here is a [JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs](https://bugs.openjdk.org/browse/JDK-8337664) backport, based on openjdk/jdk11u#95.
>
> After adjusting the file paths from 11u to 8u, the backport isn't clean, but conflicts are minimal. These include a copyright line and minor `java.security-<platform>` context mismatches. You can verify this comparing 00beb507c85f335e23e51b025c16fa6940a92262 against openjdk/jdk11u at 90ad5b18de314faca19e322bb21a4c33cec54785.
>
> On top of that, the code still needed adjustments for the 8u codebase, which were addressed in a separate commit, 53e8134702c5967ffd886b8530ee5728907cae91. I made these adjustments in line with 68e393c051d3b5ed5b490f362c7ba97c75761ad8, the 8u backport of [JDK-8207258: Distrust TLS server certificates anchored by Symantec Root CAs](https://bugs.openjdk.org/browse/JDK-8207258).
>
> #### Testing
>
> I run `jdk/tier1` and all the tests under [`jdk/test/sun/security/ssl`](https://github.com/openjdk/jdk8u/tree/e32d62e2a39510f643b32d615e76f0ff9be3d9f3/jdk/test/sun/security/ssl), using 64-bit _slowdebug_ and _release_ images, locally built in _Fedora Linux 40_. Please note that this includes the new `X509TrustManagerImpl/Entrust/Distrust.java`, which I've also made fail by temporarily undoing the `java.security-linux` changes. I haven't found any regression against `master` (currently e32d62e2a39510f643b32d615e76f0ff9be3d9f3).
>
> Regarding the failures in GitHub Actions, we can see that this also occurred in recent `jdk8u-dev` pull requests. For example:
>
> * `security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrooteccca`
> `security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootevrsaca`
> * Failed in this PR, in [_Linux x64 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29958948355), [_Linux x86 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29959071363), [_Windows x64 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29959852407) and [_Windows x86 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29959178259)
> * Same as openjdk/jdk8u-dev#430, in [_Linux x64 (jdk/tier1)_](https://github.com/ktakakuri/jdk8u-dev/actions/runs/10733047585/job/29766007028), [_Linux x86 (jdk/tier1)_](https://github.com/ktakakuri/jdk8u-dev/actions/runs/10733047585/job/29766074280), [_Windows ...
This pull request has now been integrated.
Changeset: 39221f82
Author: Francisco Ferrari Bihurriet <fferrari at openjdk.org>
Committer: Andrew John Hughes <andrew at openjdk.org>
URL: https://git.openjdk.org/jdk8u/commit/39221f82e5b7efbc60191fe199e41428667b48d8
Stats: 1125 lines in 17 files changed: 1119 ins; 0 del; 6 mod
8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
Reviewed-by: sgehwolf, andrew
Backport-of: 7d49c52272b54070a13b02708dd7ce5f8e375a06
-------------
PR: https://git.openjdk.org/jdk8u/pull/61
More information about the jdk8u-dev
mailing list