Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8207258

Distrust TLS server certificates anchored by Symantec Root CAs

    XMLWordPrintable

    Details

      Backports

        Description

        Google [1], Mozilla [2], Apple [3], and Microsoft [4] have previously announced plans to distrust TLS Server certificates issued by Symantec.

        This enhancement will implement similar restrictions in the JDK.

        Precise details are still being planned, but the restrictions will be enforced in the SunJSSE Provider of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities (and additional constraints such as the certificate notBefore date that will be later defined) in the table below. An application will receive an Exception with a message indicating the trust anchor (root) is not trusted, ex:

           "TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US"

        If necessary, you can work around the restrictions by removing "SYMANTEC_TLS" from the "jdk.security.caDistrustPolicies" security property.

        The restrictions will be imposed on the following Symantec Root certificates (identified by Distinguished Name) included in the JDK (note that GeoTrust, Thawte, and VeriSign are Symantec CAs):

        1. CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
        2. CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
        3. CN=GeoTrust Primary Certification Authority - G2,
            OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
        4. CN=GeoTrust Primary Certification Authority - G3,
            OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
        5. CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
        6. CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only",
            OU=Certification Services Division, O="thawte, Inc.", C=US
        7. CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only",
            O="thawte, Inc.", C=US
        8. CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only",
            OU=Certification Services Division, O="thawte, Inc.", C=US
        9. EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA,
            OU=Certification Services Division, O=Thawte Consulting cc,
            L=Cape Town, ST=Western Cape, C=ZA
        10. OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only",
              OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
        11. OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
        12. OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only",
              OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
        13. CN=VeriSign Class 3 Public Primary Certification Authority - G3,
              OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network,
              O="VeriSign, Inc.", C=US
        14. CN=VeriSign Class 3 Public Primary Certification Authority - G4,
              OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network,
              O="VeriSign, Inc.", C=US
        15. CN=VeriSign Class 3 Public Primary Certification Authority - G5,
              OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network,
              O="VeriSign, Inc.", C=US
        16. CN=VeriSign Universal Root Certification Authority,
              OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network,
              O="VeriSign, Inc.", C=US

        [1] https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
        [2] https://wiki.mozilla.org/CA:Symantec_Issues
        [3] https://support.apple.com/en-us/HT208860
        [4] https://cloudblogs.microsoft.com/microsoftsecure/2018/10/04/microsoft-partners-with-digicert-to-begin-deprecating-symantec-tls-certificates/

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mullan Sean Mullan
                  Reporter:
                  mullan Sean Mullan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: