SSL Certificate Analysis for bugs.openjdk.java.net - Security Grade & TLS Configuration

Certificate Information

Subject

C=US, ST=California, L=Redwood City, O=Oracle Corporation, CN=bugs.openjdk.org

Issuer

C=US, O=DigiCert Inc, CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1

Valid From

October 02, 2025

Valid Until

October 04, 2026 335 days

Public Key

ECDSA 256 bit (P-256) Adequate

Signature Algorithm

ECDSA-SHA384

SHA-256 Fingerprint

E7:8A:4C:39:31:E0:72:EE:6E:E1:F1:8F:92:FD:F8:9E:AF:F4:E2:99:F8:8F:D6:0E:32:F9:A2:07:CB:07:33:76

Alternative Names

22 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Weak

frame-ancestors

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Significantly strengthen CSP directives
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

22 domains

jdk.java.net openjdk.java.net bugs.openjdk.java.net cr.openjdk.java.net db.openjdk.java.net git.openjdk.java.net hg.openjdk.java.net id.openjdk.java.net mail.openjdk.java.net webrevs.openjdk.java.net wiki.openjdk.java.net

Other domains in certificate

bugs.openjdk.org cr.openjdk.org db.openjdk.org git.openjdk.org hg.openjdk.org id.openjdk.org mail.openjdk.org openjdk.org webrevs.openjdk.org wiki.openjdk.org

jbs.oracle.com