JDK-8350807 : Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8,11,17,21,25
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2025-02-26
  • Updated: 2025-09-02
  • Resolved: 2025-04-17
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 17 JDK 21 JDK 25
17.0.17Fixed 21.0.9-oracleFixed 25 b20Fixed
Related Reports
Causes :  
JDK-8362455 - Test test/jdk/sun/security/ssl/SignatureScheme/MD5NotAllowedInTLS13CertificateSignature.java correction
Relates :  
JDK-8349583 - Add mechanism to disable signature schemes based on their TLS scope
Relates :  
JDK-8353738 - Update TLS unit tests to not use certificates with MD5 signatures
Description
MD5 algorithm is prohibited by TLSv1.3 RFC to be used in certificates:
-----
Any endpoint receiving any certificate which it would need to
validate using any signature algorithm using an MD5 hash MUST abort
the handshake with a "bad_certificate" alert.
-----

The bug manifests itself when older versions of protocol are supported besides TLSv1.3, such as TLSv1.2. When multiple protocol versions are supported, both client and server calculate their respective SSLSessions's "localSupportedSignAlgs" based on supported signature algorithms for all active protocols and don't update it when negotiated protocol is established. Then "localSupportedSignAlgs" list is used to validate certificate's algorithm.

While we disable "MD5withRSA" in java.security config, MD5 algorithm should not be allowed in TLSv1.3 regardless of optional configuration.

To reproduce:
Run "sun/net/www/protocol/https/HttpsURLConnection/Identities.java" unit test. Observe the test running on TLSv1.3 protocol while using certificates with "md5WithRSA" Signature Algorithm.
Comments
Fix request [17u] I would like to backport this as it applies to 17, too and using wrong algs violates TLS. Medium risk, change to important component. Fix will have one month exposure after release of 25 ... which is at least some. Backport of change in 21 which contains the fix for the follow-up issue.. Smaller resolves of code needed, and adaption of test. Tests pass. SAP nightly testing passed,.
02-09-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk17u-dev/pull/3879 Date: 2025-09-01 12:10:41 +0000
01-09-2025
Fix request [21u] I backport this for parity with 21.0.9-oracle. Medium risk, important component and larger change. Resolved backport, but recognized clean. But the test needed an adaption. Tests pass.SAP nightly testing passed.
25-08-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk21u-dev/pull/2085 Date: 2025-08-13 12:46:58 +0000
23-08-2025
Changeset: abb23828 Branch: master Author: Artur Barashev <abarashev@openjdk.org> Committer: Sean Mullan <mullan@openjdk.org> Date: 2025-04-17 13:45:47 +0000 URL: https://git.openjdk.org/jdk/commit/abb23828f9dc5f4cdb75d5b924dd6f45925102cd
17-04-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/24425 Date: 2025-04-03 19:05:59 +0000
10-04-2025