Bug ID: JDK-8337664 Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs

JDK-8337664 : Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs

Type: Enhancement
Component: security-libs
Sub-Component: javax.net.ssl

Priority: P3
Status: Resolved
Resolution: Fixed

Submitted: 2024-08-01
Updated: 2024-09-30
Resolved: 2024-09-03

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 17	JDK 21	JDK 23	JDK 24	JDK 7	JDK 8	Other
11.0.25-oracleFixed	17.0.13-oracleFixed	21.0.5-oracleFixed	23.0.1Fixed	24 b14Fixed	7u441Fixed	8u431Fixed	openjdk8u432Fixed

Related Reports

CSR :	JDK-8339194 - Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
Relates :	JDK-8340414 - [8u] Use an internal listOf & setOf when backporting List.of & Set.of
Relates :	JDK-8339560 - Unaddressed comments during code review of JDK-8337664
Relates :	JDK-8207258 - Distrust TLS server certificates anchored by Symantec Root CAs
Relates :	JDK-8341059 - Change Entrust TLS distrust date to November 12, 2024

Sub Tasks

JDK-8339495 :

Release Note: Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024 - Resolved

Description

Google [1] and Mozilla [2] have announced plans to distrust TLS Server certificates issued by Entrust.

This enhancement will implement similar restrictions in the JDK.

The restrictions will be enforced in the SunJSSE Provider of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate's notBefore date is after October 31, 2024. An application will receive an Exception with a message indicating the trust anchor (root) is not trusted, ex:

   "TLS Server certificate issued after 2024-10-31 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net"

If necessary, you can work around the restrictions by removing "ENTRUST_TLS" from the "jdk.security.caDistrustPolicies" security property.

The restrictions will be imposed on the following Entrust Root certificates (identified by Distinguished Name) included in the JDK (note that AffirmTrust are Entrust CAs):

1. CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.",
    OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
2. CN=Entrust Root Certification Authority - EC1, OU="(c) 2012 Entrust, Inc. - for authorized use only", 
    OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
3. CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", 
    OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
4. CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", 
    OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
5. CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, 
    OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
6. CN=AffirmTrust Commercial, O=AffirmTrust, C=US
7. CN=AffirmTrust Networking, O=AffirmTrust, C=US
8. CN=AffirmTrust Premium, O=AffirmTrust, C=US
9. CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US

[1] https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html
[2] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/jCvkhBjg9Yw

Comments

Critical request [11u] I backport this for parity with 11.0.25-oracle. Risk assessment pointless, change required by the Crypto Roadmap in the October update. I had to do a trival code adaption. Test passes. SAP nightly testing passed.
30-09-2024
Critical request [8u] I did an 8u backport for parity with 8u431 (oracle). As stated for other backports, this change is targeted by the Crypto Roadmap for the October update. Code adjustments are documented in the pull request, and the changes reviewed by [~sgehwolf]. The new test passes and there are no regressions against jdk8u/master.
13-09-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk8u/pull/61 Date: 2024-09-10 20:55:35 +0000
12-09-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk11u/pull/95 Date: 2024-09-05 11:31:46 +0000
05-09-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk21u/pull/451 Date: 2024-09-05 10:24:16 +0000
05-09-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk17u/pull/396 Date: 2024-09-05 10:28:09 +0000
05-09-2024
Critical request [17u,21u] I backport this for parity with 17.0.13-oracle,21.0.5-oracle. Risk assessment pointless, change required by the Crypto Roadmap in the October update. Clean backport. Test passes. SAP nightly testing passed.
05-09-2024
Current aim is for October release as per JDK crypto roadmap: https://www.java.com/en/jre-jdk-cryptoroadmap.html
05-09-2024
Hi [~mpowers], [~coffeys] and [~pkumaraswamy] I assume you want to backport this all the way to 8, given the CSR mentions all these versions. Will you target the October release or a later one? I would appreciate if we can target the same version in jdk-updates.
05-09-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk23u/pull/91 Date: 2024-09-04 06:04:07 +0000
04-09-2024
Changeset: bbb51616 Branch: master Author: Mark Powers <mpowers@openjdk.org> Date: 2024-09-03 19:55:58 +0000 URL: https://git.openjdk.org/jdk/commit/bbb516163d400a9c7e923e423fe2a60091b59322
03-09-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/20731 Date: 2024-08-27 17:18:29 +0000
30-08-2024