JDK-8353738 : Update TLS unit tests to not use certificates with MD5 signatures
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 24
  • Priority: P3
  • Status: Open
  • Resolution: Unresolved
  • Submitted: 2025-04-04
  • Updated: 2025-05-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 25
25Unresolved
Related Reports
Blocks :  
JDK-8325766 - Review seclibs tests for cert expiry
Relates :  
JDK-8350807 - Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled
Description
We have a number of old TLS unit tests still using certificates with `MD5WithRSA` signature. MD5 algorithm is prohibited by TLSv1.3 RFC to be used in certificates. As we fix JDK-8350807 those tests will start failing when running on TLSv1.3 protocol. The following tests to be updated:

sun/net/www/protocol/https/HttpsURLConnection/Identities.java
sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java
sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java
sun/net/www/protocol/https/HttpsURLConnection/DNSIdentities.java
javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java

Note:
We should have 2 runs of `sun/net/www/protocol/https/HttpsURLConnection/*Identities.java` tests: one using TLSv1.3 protocol with non-MD5 signature certificate, and another using TLSv1.2 protocol with certificate using MD5WithRSA signature. It is important to have some tests that still use certificates with `MD5WithRSA` signature. Because we want to make sure they still work if someone re-enables the algorithm
Comments
These tests were updated with JDK-8350807 to run with only TLSv1.2 protocol. The fix for this bug should enable other protocols.
08-05-2025
Also consider modifying the above tests to have 2 runs, one with TLSv1.3, and the other with TLSv1.2.
16-04-2025