JDK-8346587 : Distrust TLS server certificates anchored by Camerfirma Root CAs
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2024-12-18
  • Updated: 2025-10-07
  • Resolved: 2025-01-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 17 JDK 21 JDK 24 JDK 25 JDK 7 JDK 8 Other
11.0.27-oracleFixed 17.0.15-oracleFixed 21.0.7-oracleFixed 24.0.1Fixed 25 b08Fixed 7u461Fixed 8u451Fixed openjdk8u462,shenandoah8u452Fixed
Related Reports
CSR :  
JDK-8347738 - Distrust TLS server certificates anchored by Camerfirma Root CAs
Relates :  
JDK-8350498 - Remove two Camerfirma root CA certificates
Sub Tasks
JDK-8348690 :  
Release Note: Distrust TLS Server Certificates Anchored by Camerfirma Root Certificates and Issued After April 15, 2025 - Resolved
Description
TLS server certificates anchored by Camerfirma Root CAs are distrusted or distrusted after a specific date by Google [1], Mozilla [2], Apple [3], and Microsoft [4, 5].

This enhancement will implement similar restrictions in the JDK.

The restrictions will be enforced in the SunJSSE Provider of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate's notBefore date is after April 15, 2025. An application will receive an Exception with a message indicating the trust anchor (root) is not trusted, ex:

   "TLS Server certificate issued after April 15, 2025 and anchored by a distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU"

If necessary, you can work around the restrictions by removing "CAMERFIRMA_TLS" from the "jdk.security.caDistrustPolicies" security property.

The restrictions will be imposed on the following Camerfirma Root certificates (identified by Distinguished Name) included in the JDK:

1. CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
2. CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
3. CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

[1] https://groups.google.com/g/mozilla.dev.security.policy/c/dSeD3dgnpzk/m/iAUwcFioAQAJ
[2] https://groups.google.com/g/mozilla.dev.security.policy/c/PnAAWnxyosM/m/cImb78jnBAAJ
[3] https://support.apple.com/en-us/121668
[4] https://learn.microsoft.com/en-us/security/trusted-root/2023/feb2023
[5] https://learn.microsoft.com/en-us/security/trusted-root/2024/feb2024
Comments
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk8u/pull/68 Date: 2025-03-04 10:12:04 +0000
10-03-2025
Fix Request (OpenJDK 8u): Please approve this backport to the April 8u452 release. This bug is mentioned on the crypto-roadmap and we should get it included in that release. The JDK 8u backport is not clean, but got reviewed by Martin Balao and Francisco Ferrari Bihurriet. The patch depends on JDK-8339560 (test change only, low risk). Risk should be low as it shouldn't affect any existing certificates and beyond April 15 certs rooted by Camerfirma CA could be trusted again by removing the entry in java.security.
26-02-2025
A pull request was submitted for review. Branch: pr/626 URL: https://git.openjdk.org/jdk8u-dev/pull/627 Date: 2025-02-25 11:51:52 +0000
25-02-2025
[jdk11u-fix-request] Approval Request from Antonio Vieiro Please approve this backport from JDK 17 that distrusts some Root CA certificates for the upcoming 11.0.27, as per the JRE and JDK Crypto Roadmap. Tier1 and security test pass.
14-02-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk11u-dev/pull/2994 Date: 2025-02-13 18:52:18 +0000
14-02-2025
[jdk17u-fix-request] Approval Request from Antonio Vieiro Please approve this backport to JDK-17 to distrust Camerfirma Root CAs, required in 2025-04. Security tests pass.
12-02-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk17u-dev/pull/3276 Date: 2025-02-12 14:33:03 +0000
12-02-2025
Thanks for that additional information, Prasadarao. You're unlikely to see anything for 24.0.1 until the release now, as it was closed for public commits on the 4th of February: https://mail.openjdk.org/pipermail/jdk-updates-dev/2025-January/040920.html I agree with Severin et al. that this should go in the April update, given it comes into action on the same day as that release. Otherwise, such certificates will be trusted by the JDK for the three months before the July update.
12-02-2025
This crypto item is targeted for April 2025: https://www.java.com/en/jre-jdk-cryptoroadmap.html
10-02-2025
Hi [~goetz], Thanks for pointing this out. It's not that I want to deviate from Oracle's schedule on purpose, I just saw the CPU25_04-critical-approved tag and I thought this was already agreed upon to be included in the 2025/04 CPU for 21.0.7. Having said that, Camerfirma is a CA located in Spain but operates also in South America, and it's also eIDAS compliant. Looking at Camerfirma's "Certification Practice Statement and Certificate Policies" [1], one of the Root CAs certificates (Chambers of Commerce Root – 2008 (certificate with SHA-1 signature, page 21) is affected but it's valid until 2038, so from a security perspective is probably important to distrust this quickly. Maybe it's worth reconsidering if this should go in 21.0.7? Thanks, Antonio [1] https://daa1df3k0xsds.cloudfront.net/wp-content/uploads/2024/11/CPS_CP_CAMERFIRMA_EN_v1.5.1.pdf
07-02-2025
[~sgehwolf] There is no hurry, the repo is open another 3 weeks. Let's wait a bit and see whether Oracle pushes to 24.0.1, or updates the release note with proper versions for 21&17.
07-02-2025
[~goetz] It also mentions 24.0.1. So it seems Oracle is split about this as well. It feels like this should be in 21.0.7 as there is a way to opt out, but not a way to opt in.
07-02-2025
[~sgehwolf] > Where do you get the feeling that this will be in July only? The release note mentions 21.0.8 and 17.0.16, but not the April versions.
07-02-2025
[~goetz] We don't know exactly in which versions those go at the Oracle JDK side. Since the distrust is supposed to happen after April 15 and the 21.0.7 release is scheduled for the same date it makes sense to include it with that version. If that's not wanted, users can remove the CAMERFIRMA_TLS entry from their jdk.security.caDistrustPolicies in java.security config file. My understanding is that browsers are ahead of the JDK in that regard. Where do you get the feeling that this will be in July only? AFAIK, 24.0.1 is in progress and others might follow. It's a moving thing.
07-02-2025
Hi [~sgehwolf] You approved this for 21.0.7. Are you sure this is the right thing to do? OracleJDK will only have this in 21.0.8, at least this is what the backport information and the release note are saying. I would prefer to align with Oracle. I remove the label for now, feel free to add it again if there are good reasons to push this to 21.0.7. But actually the versions in the release note are ambiguous, see my comment in the release note. [~avieiro], why do you want to have this already in 21.0.7? Please give a detailed motivation why you want to deviate from the Oracle schedule.
07-02-2025
[jdk21u-fix-request] Approval Request from Antonio Vieiro Please approve this backport to JDK-21 to distrust Camerfirma Root CAs, required in 2025-04. Security tests pass.
06-02-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk21u-dev/pull/1388 Date: 2025-02-06 10:02:04 +0000
06-02-2025
Hi [~pkoppula], I'll try to get it sponsored ASAP. Apologies for the delay.
06-02-2025
[~avieiro] We are awaiting the 24u push to proceed with the April CPU integration. Could you please request a sponsor to complete the 24u push process?
06-02-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk24u/pull/40 Date: 2025-01-29 11:25:16 +0000
29-01-2025
[jdk24u-fix-request] Approval Request from Antonio Vieiro Let's try to get this on time for 24.0.1 (... and for 21.0.7, 17.0.15, 11.0.27 and 8u451 :-) ).
29-01-2025
Changeset: 907350e9 Branch: master Author: Mark Powers <mpowers@openjdk.org> Date: 2025-01-24 23:05:34 +0000 URL: https://git.openjdk.org/jdk/commit/907350e9e8e9b66365e9eaa3ae89ddc55cf9731f
24-01-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/22985 Date: 2025-01-08 23:27:34 +0000
23-01-2025