JDK-8339560 : Unaddressed comments during code review of JDK-8337664
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 24
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2024-09-04
  • Updated: 2025-03-19
  • Resolved: 2024-09-26
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 17 JDK 21 JDK 23 JDK 24 JDK 7 JDK 8 Other
11.0.26-oracleFixed 17.0.14-oracleFixed 21.0.6-oracleFixed 23.0.2Fixed 24 b18Fixed 7u451Fixed 8u441Fixed openjdk8u452Fixed
Related Reports
Relates :  
JDK-8337664 - Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
Description
During the review, Rajan and Sean had several comments that I was unable to address because of time constraints. Nothing was urgent so it was decided to file a follow-on bug.

1. test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/Distrust.java, line 113:
Rajan - "Please update this and other Exception thrown in loadCertificateChain and testTM function to RuntimeException."

2. test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/Distrust.java, line 141:
Rajan - "Should this be updated to throw SkippedException so we know that certificates are expired?"

3. Sean - "I noticed we could combine some of the Symantec and Entrust tests, but I think it is too risky at this point."
Comments
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk8u/pull/67 Date: 2025-03-04 09:48:18 +0000
04-03-2025
Fix Request (OpenJDK 8u): Please approve this backport for JDK 8u which allows for easier backporting of distrust bugs. One of which is JDK-8346587 that I'd like to backport for the 8u452 release (April 2025). Test only change, so risk is low. Tests pass. Reviewed by Martin Balao and Francisco Ferrari Bihurriet.
25-02-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk8u-dev/pull/626 Date: 2025-02-24 20:02:57 +0000
24-02-2025
[jdk11u-fix-request] Approval Request from Antonio Vieiro Please approve this backport from JDK 17 that improves handling of distrusted certificates (this will ease review of future backports, as the upcoming JDK-8346587 for CPU 2025/04). Tier1 and related tests pass.
14-02-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk11u-dev/pull/2993 Date: 2025-02-13 17:46:52 +0000
13-02-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk23u/pull/152 Date: 2024-10-10 09:31:37 +0000
10-10-2024
[jdk23u-fix-request] Approval Request from Ramesh Gangadhar JDK-8339560: Unaddressed comments during code review of JDK-8337664
10-10-2024
Fix request [17u] I backport this test only change to keep the tests of in this area where we have frequent backports close to head. No risk, only a test change. Clean backport from 21. Tests pass. SAP nightly testing passed.
08-10-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk17u-dev/pull/2943 Date: 2024-10-07 09:21:04 +0000
07-10-2024
Fix request [21u] I backport this test only change to keep the tests of in this area where we have frequent backports close to head. No risk, only a test change. A later change touching one of the moved files was backported early. Clean composition of backout, patch, redo. Tests pass. SAP nightly testing passed.
03-10-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk21u-dev/pull/1018 Date: 2024-10-02 11:57:56 +0000
02-10-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk21u-dev/pull/1016 Date: 2024-09-30 15:01:41 +0000
30-09-2024
Changeset: 95d3e9d1 Branch: master Author: Fernando Guallini <fguallini@openjdk.org> Committer: Sean Mullan <mullan@openjdk.org> Date: 2024-09-26 13:20:14 +0000 URL: https://git.openjdk.org/jdk/commit/95d3e9d199600bac0284f9151b99aef152e027ac
26-09-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/20944 Date: 2024-09-11 09:07:15 +0000
11-09-2024
I see, Symantec and Entrust tests can be combined for reusability, I will also include the other suggestions
05-09-2024
Also, many of the Symantec test certs have already expired. We may want to consider setting the validation date to a date after the distrust date but before the date these certs have expired in order to test that they are properly distrusted.
05-09-2024