JDK-8340321 : Disable SHA-1 in TLS/DTLS 1.2 handshake signatures
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2024-09-17
  • Updated: 2025-05-08
  • Resolved: 2025-04-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 17 JDK 21 JDK 25 JDK 8
11.0.30-oracleUnresolved 17.0.18-oracleUnresolved 21.0.10-oracleUnresolved 25 b18Fixed 8u481Unresolved
Related Reports
Blocks :  
JDK-8349583 - Add mechanism to disable signature schemes based on their TLS scope
CSR :  
JDK-8353566 - Disable SHA-1 in TLS/DTLS 1.2 handshake signatures
Relates :  
JDK-8301626 - Capture Key Exchange information in TLSHandshakeEvent
Sub Tasks
JDK-8353879 :  
Release Note: Disabled SHA-1 in TLS/DTLS 1.2 handshake signatures - Resolved
Description
RFC 9155 [1] deprecates the use of SHA-1 in TLS & DTLS 1.2 digital signatures. This does not affect SHA-1 in TLS server certificates which has already been disabled.

Other TLS implementations have started deprecating their usage. Chrome 117 has removed support for signature algorithms using SHA-1 for server signatures during the TLS handshake [2]. OpenSSL changed their default security level to 2 in version 3.2.0, and this level disables SHA-1 TLS signatures.

[1] https://www.rfc-editor.org/rfc/rfc9155.html
[2] https://chromestatus.com/feature/4832850040324096
Comments
Changeset: dfa79c37 Branch: master Author: Artur Barashev <abarashev@openjdk.org> Committer: Sean Mullan <mullan@openjdk.org> Date: 2025-04-08 13:02:50 +0000 URL: https://git.openjdk.org/jdk/commit/dfa79c373097d17a347b7c17103c57e12f59dc67
08-04-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/24367 Date: 2025-04-01 20:53:01 +0000
01-04-2025