dragonwell8 icon indicating copy to clipboard operation
dragonwell8 copied to clipboard

Published 20 hours ago verified publisher icon dragonwell-project

[Enhancement] Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" removed in Mozilla's cacerts caused Test 'Distrust.java' failed

Open zhengxiaolinX opened this issue 4 years ago • 3 comments

Description In JDK-8207258, a test 'Distrust.java' is imported, for fixing a cacerts file problem: https://bugs.openjdk.java.net/browse/JDK-8207258, and which references Apple's HT208860 doc. However, Apple updated this doc on 6/24/2020 and marked 'VeriSign Class 3 Public Primary Certification Authority - G3' untrusted. At nearly the same time, Mozilla update their certificates and removed the outdated 'G3' certificate. We use Mozilla's cacerts, and the test fails. OpenJDK is still using this 'G3' certificate currently.

Steps to Reproduce Run 'Distrust.java' using Mozilla's cacerts

Expected behavior Test passes

JDK version openjdk version "1.8.0_262" OpenJDK Runtime Environment (Alibaba Dragonwell 8.4.4) (build 1.8.0_262-b00) OpenJDK 64-Bit Server VM (Alibaba Dragonwell 8.4.4) (build 25.262-b00, mixed mode)

Execution environment

  • OS and version:
  • CPU model:
  • Number of CPU cores:
  • Size of physical memory:
  • Inside Linux container?
    • Linux container name (docker, pouch, etc):
    • Linux container version:

zhengxiaolinX avatar Aug 01 '20 14:08 zhengxiaolinX

Does this issue disclose certain kinds of security breaches? In that case, this public issue itself might be a security risk for Dragonwell users. Is it possible to set up a process to deal with security issues in a safer manner? maybe notifying known/supported users privately before making it public.

Anyway, I've got no idea if you have done the notification work before, just guessing, pls ignore if there already has been such mechanism.

Cheers

luchsh avatar Aug 04 '20 03:08 luchsh

Does this issue disclose certain kinds of security breaches? In that case, this public issue itself might be a security risk for Dragonwell users. Is it possible to set up a process to deal with security issues in a safer manner? maybe notifying known/supported users privately before making it public.

Anyway, I've got no idea if you have done the notification work before, just guessing, pls ignore if there already has been such mechanism.

Cheers

@sanhong @yuleil @zhengxiaolinX I guess this might have to be revisited.

luchsh avatar Aug 04 '20 03:08 luchsh

Thanks for the advice. We are currently working on this.

zhengxiaolinX avatar Aug 05 '20 02:08 zhengxiaolinX