Skip to content

8263188: JSSE should fail fast if there isn't supported signature algorithm #3126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

8263188: JSSE should fail fast if there isn't supported signature algorithm #3126

wants to merge 2 commits into from

Conversation

@vieiro
Copy link
Contributor

@vieiro vieiro commented Nov 27, 2025
edited by openjdk bot
Loading

Clean backport of JDK-8263188 to JDK11.

It will make it easier to backport and review JDK-8349583 and JDK-8340321 , so OpenJDK 11 follows the Oracle JRE and JDK Cryptographic Roadmap on 2026/01 by disabling SHA-1 in TLS/DTLS 1.2 handshake signatures.

Since JDK11 does not sport the ByteBuffer.slice(int, int) method in JDK17 (used in test/jdk/sun/security/ssl/SignatureScheme/SigAlgosExtTestWithTLS12.java), a second commit adds an equivalent and updates the test.

Tested on Linux with tier1 tests:

==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR   
   jtreg:test/hotspot/jtreg:tier1                     1497  1497     0     0   
   jtreg:test/jdk:tier1                               1899  1899     0     0   
   jtreg:test/langtools:tier1                         3941  3941     0     0   
   jtreg:test/nashorn:tier1                              0     0     0     0   
   jtreg:test/jaxp:tier1                                 0     0     0     0   
==============================
TEST SUCCESS

Also security tests (including new ones) pass:

==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR   
   jtreg:test/jdk/sun/security                         664   664     0     0   
==============================
TEST SUCCESS

Progress

  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • JDK-8263188 needs maintainer approval

Issue

  • JDK-8263188: JSSE should fail fast if there isn't supported signature algorithm (Bug - P4)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/3126/head:pull/3126
$ git checkout pull/3126

Update a local copy of the PR:
$ git checkout pull/3126
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/3126/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3126

View PR using the GUI difftool:
$ git pr show -t 3126

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/3126.diff

Using Webrev

Link to Webrev Comment

@bridgekeeper
Copy link

bridgekeeper bot commented Nov 27, 2025

👋 Welcome back avieiro! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk
Copy link

openjdk bot commented Nov 27, 2025

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

@vieiro vieiro changed the title Backport 99b4bab 8263188: JSSE should fail fast if there isn't supported signature algorithm Nov 27, 2025
@vieiro
Copy link
Contributor Author

vieiro commented Nov 27, 2025

(Is there a GitHub - JIRA sync issue? I've updated the PR title manually)

@openjdk openjdk bot added the rfr Pull request is ready for review label Nov 27, 2025
@mlbridge
Copy link

mlbridge bot commented Nov 27, 2025
edited
Loading

Webrevs

@jerboaa
Copy link
Contributor

jerboaa commented Nov 27, 2025
edited
Loading

@vieiro Changing the title manually won't help as then the patch isn't being recognized as backport. Please use the fulll sha and try again:

Backport 99b4bab366fe897e41a35240e474ea0cb0b229d5

@vieiro vieiro changed the title 8263188: JSSE should fail fast if there isn't supported signature algorithm Backport 99b4bab366fe897e41a35240e474ea0cb0b229d5 Nov 27, 2025
@openjdk openjdk bot changed the title Backport 99b4bab366fe897e41a35240e474ea0cb0b229d5 8263188: JSSE should fail fast if there isn't supported signature algorithm Nov 27, 2025
@openjdk
Copy link

openjdk bot commented Nov 27, 2025

This backport pull request has now been updated with issue from the original commit.

@openjdk openjdk bot added the backport Port of a pull request already in a different code base label Nov 27, 2025
@vieiro vieiro force-pushed the backports/JDK-8263188-2 branch from a2a223a to b17720d Compare December 4, 2025 10:09
@openjdk
Copy link

openjdk bot commented Dec 4, 2025

@vieiro Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

@vieiro
Copy link
Contributor Author

vieiro commented Dec 4, 2025

I've rebased on master to get the recently merged JDK-8341964 and JDK-8245545 on this branch.

And retested with run-test-jdk_security:

==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR   
   jtreg:test/jdk:jdk_security                        1361  1361     0     0   
==============================
TEST SUCCESS

jerboaa
jerboaa reviewed Dec 4, 2025
View reviewed changes
Copy link
Contributor

@jerboaa jerboaa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Please update the copyright since another change happend since and there is no THL A29 Limited in other copyright notices anymore.

test/jdk/sun/security/ssl/SignatureScheme/SigAlgosExtTestWithTLS12.java
@@ -0,0 +1,393 @@
/*
* Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
Copy link
Contributor

@jerboaa jerboaa Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
* Copyright (C) 2021, Tencent. All rights reserved.

Note that JDK-8364597 has been brought to JDK 11 since. We should keep it aligned.

test/jdk/sun/security/ssl/SignatureScheme/SigAlgosExtTestWithTLS13.java
@@ -0,0 +1,89 @@
/*
* Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
Copy link
Contributor

@jerboaa jerboaa Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
* Copyright (C) 2021, Tencent. All rights reserved.

Same here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jerboaa jerboaa jerboaa left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport Port of a pull request already in a different code base rfr Pull request is ready for review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vieiro @jerboaa