Skip to content

8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled #2085

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled #2085

wants to merge 1 commit into from

Conversation

GoeLin
Copy link
Member

@GoeLin GoeLin commented Aug 13, 2025
edited by openjdk bot
Loading

I backport this for parity with 21.0.9-oracle.

Resolved one copyright. It is already at 2025.

But test MD5NotAllowedInTLS13CertificateSignature.java is failing.
It throws ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0
at MD5NotAllowedInTLS13CertificateSignature.lambda$main$1(MD5NotAllowedInTLS13CertificateSignature.java:100)

It expects an array of length 1 containing the exception javax.net.ssl.SSLHandshakeException: (bad_certificate) PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: MD5withRSA

All other testing, i.e. our nighlties and the tests touched here, pass.

Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • JDK-8350807 needs maintainer approval

Issue

  • JDK-8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled (Bug - P3)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk21u-dev.git pull/2085/head:pull/2085
$ git checkout pull/2085

Update a local copy of the PR:
$ git checkout pull/2085
$ git pull https://git.openjdk.org/jdk21u-dev.git pull/2085/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 2085

View PR using the GUI difftool:
$ git pr show -t 2085

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk21u-dev/pull/2085.diff

@bridgekeeper
Copy link

bridgekeeper bot commented Aug 13, 2025

👋 Welcome back goetz! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk
Copy link

openjdk bot commented Aug 13, 2025

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

@openjdk openjdk bot changed the title backport abb23828f9dc5f4cdb75d5b924dd6f45925102cd 8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled Aug 13, 2025
@openjdk
Copy link

openjdk bot commented Aug 13, 2025

This backport pull request has now been updated with issue from the original commit.

@openjdk openjdk bot added backport Port of a pull request already in a different code base clean Identical backport; no merge resolution required labels Aug 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
backport Port of a pull request already in a different code base clean Identical backport; no merge resolution required
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@GoeLin