OpenJDK 11.0.12 Released

Andrew Hughes gnu.andrew at
Wed Jul 21 04:49:04 UTC 2021

We are pleased to announce the release of OpenJDK 11.0.12.

The source tarball is available from:


The tarball is accompanied by a digital signature available at:


This is signed by our Red Hat OpenJDK key (openjdk at

PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://
Fingerprint = CA5F 11C6 CE22 644D 42C6  AC44 92EF 8D39 DC13 168F

SHA256 checksums:

5f139e8760d1ea0587d029b3c217654ed3bf6f46d663eb418e19f42f36c061e5  openjdk-11.0.12-ga.tar.xz
43ae2c4e6dd65b67457eecefa953d213bd0cc8cf0ce725958f5315feca0ea13e  openjdk-11.0.12-ga.tar.xz.sig

The checksums can be downloaded from:


New in release OpenJDK 11.0.12 (2021-07-20):
Live versions of these release notes can be found at:

* Security fixes
  - JDK-8256157: Improve bytecode assembly
  - JDK-8256491: Better HTTP transport
  - JDK-8258432, CVE-2021-2341: Improve file transfers
  - JDK-8260453: Improve Font Bounding
  - JDK-8260960: Signs of jarsigner signing
  - JDK-8260967, CVE-2021-2369: Better jar file validation
  - JDK-8262380: Enhance XML processing passes
  - JDK-8262403: Enhanced data transfer
  - JDK-8262410: Enhanced rules for zones
  - JDK-8262477: Enhance String Conclusions
  - JDK-8262967: Improve Zip file support
  - JDK-8264066, CVE-2021-2388: Enhance compiler validation
  - JDK-8264079: Improve abstractions
  - JDK-8264460: Improve NTLM support
* Other changes
  - JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit
  - JDK-7106851: Test should not use System.exit
  - JDK-8073446: TimeZone getOffset API does not  return a dst offset between years 2038-2137
  - JDK-8076190: Customizing the generation of a PKCS12 keystore
  - JDK-8153005: Upgrade the default PKCS12 encryption/MAC algorithms
  - JDK-8171303: sun/java2d/pipe/ fails on Windows & Linux
  - JDK-8177068: incomplete classpath causes NPE in Flow
  - JDK-8185734: [Windows] Structured Exception Catcher missing around gtest execution
  - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll
  - JDK-8190763: Class cast exception on (CompoundEdit) UndoableEditEvent.getEdit()
  - JDK-8195841: PNGImageReader.readNullTerminatedString() doesnt check for non-null terminated strings with length equal to maxLen
  - JDK-8196100: javax/swing/text/JTextComponent/5074573/ fails
  - JDK-8199646: JShell tests: jdk/jshell/ failed with java.lang.UnsupportedOperationException
  - JDK-8206925: Support the certificate_authorities extension
  - JDK-8207160: ClassReader::adjustMethodParams can potentially return null if the args list is empty
  - JDK-8207247: AARCH64: Enable Minimal and Client VM builds
  - JDK-8207404: MulticastSocket tests failing on AIX
  - JDK-8207779: Method::is_valid_method() compares 'this' with NULL
  - JDK-8208061: runtime/LoadClass/ fails with "Load factor too high" when running in CDS mode.
  - JDK-8209459: TestSHA512MultiBlockIntrinsics failed on AArch64
  - JDK-8210443: Migrate Locale matching tests to JDK Repo.
  - JDK-8213231: ThreadSnapshot::_threadObj can become stale
  - JDK-8213483: ARM32: runtime/ErrorHandling/ jtreg test fail
  - JDK-8213725: JShell NullPointerException due to class file with unexpected package
  - JDK-8213794: ARM32: disable TypeProfiling, CriticalJNINatives, Serviceablity tests for ARM32
  - JDK-8213845: ARM32: Interpreter doesn't call result handler after native calls
  - JDK-8214128: ARM32: wrong stack alignment on Deoptimization::unpack_frames
  - JDK-8214512: ARM32: Jtreg test compiler/c2/ fails on ARM
  - JDK-8214854: JDWP: Unforseen output truncation in logging
  - JDK-8214922: Add vectorization support for fmin/fmax
  - JDK-8215009: GCC 8 compilation error in libjli
  - JDK-8216184: CDS/appCDS tests failed on Windows due to long path to a classlist file
  - JDK-8216259: AArch64: Vectorize Adler32 intrinsics
  - JDK-8216314: SIGILL in CodeHeapState::print_names()
  - JDK-8217348: assert(thread->is_Java_thread()) failed: just checking
  - JDK-8217465: [REDO] - Optimize CodeHeap Analytics
  - JDK-8217561: X86: Add floating-point Math.min/max intrinsics
  - JDK-8217918: C2: -XX:+AggressiveUnboxing is broken
  - JDK-8218458: [TESTBUG] runtime/NMT/ fails with Expected stack trace missing from output
  - JDK-8219142: Remove unused JIMAGE_ResourcePath
  - JDK-8219586: CodeHeap State Analytics processes dead nmethods
  - JDK-8220074: Clean up GCC 8.3 errors in LittleCMS
  - JDK-8220407: compiler/intrinsics/math/ timedout
  - JDK-8222302: [TESTBUG]test/hotspot/jtreg/compiler/intrinsics/sha/cli/ fails on any other CPU
  - JDK-8222412: AARCH64: multiple instructions encoding issues
  - JDK-8223020: aarch64: expand minI_rReg and maxI_rReg patterns into separate instructions
  - JDK-8223444: Improve CodeHeap Free Space Management
  - JDK-8223504: Improve performance of forall loops by better inlining of "iterator()" methods
  - JDK-8223667: ASAN build broken
  - JDK-8225081: Remove Telia Company CA certificate expiring in April 2021
  - JDK-8225116: Test intermittently fails
  - JDK-8225438: javax/net/ssl/TLSCommon/ failed with Read timed out
  - JDK-8225756: [testbug] compiler/loopstripmining/ sets too short a SafepointTimeoutDelay
  - JDK-8226374: Restrict TLS signature schemes and named groups
  - JDK-8226627: assert(t->singleton()) failed: must be a constant
  - JDK-8226721: Missing intrinsics for Math.ceil, floor, rint
  - JDK-8227080: (fs) Files.newInputStream(...).skip(n) is slow
  - JDK-8227222: vmTestbase/jit/FloatingPoint/gen_math/Loops04/ failed XMM register should be 0-15
  - JDK-8227609: (fs) Files.newInputStream(...).skip(n) should allow skipping beyond file size
  - JDK-8230428: Cleanup dead CastIP node code in formssel.cpp
  - JDK-8231460: Performance issue (CodeHeap) with large free blocks
  - JDK-8231713: x86_32 build failures after JDK-8226721 (Missing intrinsics for Math.ceil, floor, rint)
  - JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns
  - JDK-8232084: HotSpot build failed with GCC 9.2.1
  - JDK-8232591: AArch64: Add missing match rules for smaddl, smsubl and smnegl
  - JDK-8233185: HttpServer.stop() blocks indefinitely when called on dispatch thread
  - JDK-8233787: Break cycle in vm_version* includes
  - JDK-8233948: AArch64: Incorrect mapping between OptoReg and VMReg for high 64 bits of Vector Register
  - JDK-8234355: Buffer overflow in jcmd GC.class_stats due to too many classes
  - JDK-8235368: Update BCEL to Version 6.4.1
  - JDK-8236859: WebSocket over authenticating proxy fails with NPE
  - JDK-8236992: AArch64: remove redundant load_klass in itable stub
  - JDK-8237743: test/langtools/jdk/jshell/ fails No ExecutionControlProvider with name 'nonExistent' and parameter keys: []
  - JDK-8237804: sun/security/mscapi tests fail with "Key pair not generated, alias <nnnnnn> already exists"
  - JDK-8238175: CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class
  - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers
  - JDK-8238812: assert(false) failed: bad AD file
  - JDK-8239312: [macos] javax/swing/JFrame/NSTexturedJFrame/
  - JDK-8239386: handle ContendedPaddingWidth in vm_version_aarch64
  - JDK-8239536: Can't use `java.util.List` object after importing `java.awt.List`
  - JDK-8240487: Cleanup whitespace in .cc, .hh, .m, and .mm files
  - JDK-8240848: ArrayIndexOutOfBoundsException buf for TextCallbackHandler
  - JDK-8241082: Upgrade IANA Language Subtag Registry data to 03-16-2020 version
  - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873
  - JDK-8241101: [s390] jtreg test failure after JDK-8238696: not conformant features string
  - JDK-8241248: NullPointerException in
  - JDK-8241372: Several test failures due to Connection reset
  - JDK-8241475: AArch64: Add missing support for PopCountVI node
  - JDK-8241829: Cleanup the code for PrinterJob on windows
  - JDK-8241960: The SHA3 message digests impl of SUN provider are not thread safe after cloned
  - JDK-8242010: Upgrade IANA Language Subtag Registry to Version 2020-04-01
  - JDK-8242429: Better implementation for sign extract
  - JDK-8242557: Add length limit for strings in PNGImageWriter
  - JDK-8242919: Paste locks up jshell
  - JDK-8243155: AArch64: Add support for SqrtVF
  - JDK-8243240: AArch64: Add support for MulVB
  - JDK-8243452: JFR: Could not create chunk in repository with over 200 recordings
  - JDK-8243559: Remove root certificates with 1024-bit keys
  - JDK-8243597: AArch64: Add support for integer vector abs
  - JDK-8244031: HttpClient should have more tests for HEAD requests
  - JDK-8244205: HTTP/2 tunnel connections through proxy may be reused regardless of which proxy is selected
  - JDK-8244847: Linux/PPC: runtime/CompressedOops/CompressedClassPointers: smallHeapTest fails
  - JDK-8245511: G1 adaptive IHOP does not account for reclamation of humongous objects by young GC
  - JDK-8246274: G1 old gen allocation tracking is not in a separate class
  - JDK-8247354: [aarch64] PopFrame causes assert(oopDesc::is_oop(obj)) failed: not an oop
  - JDK-8247408: IdealGraph bit check expression canonicalization
  - JDK-8247432: Update IANA Language Subtag Registry to Version 2020-09-29
  - JDK-8247438: JShell: When FailOverExecutionControlProvider fails the proximal cause is not shown
  - JDK-8247753: UIManager.getSytemLookAndFeelClassName() returns wrong value on Fedora 32
  - JDK-8248043: Need to eliminate excessive i2l conversions
  - JDK-8248411: [aarch64] Insufficient error handling when CodeBuffer is exhausted
  - JDK-8248568: compiler/c2/ failed: test missing from stdout/stderr
  - JDK-8248870: AARCH64: I2L/L2I conversions can be skipped for masked positive values
  - JDK-8249142: java/awt/FontClass/CreateFont/ is unstable
  - JDK-8249189: AARCH64: more L2I conversions can be skipped
  - JDK-8249719: MethodHandle performance suffers from bad ResolvedMethodTable hash function
  - JDK-8249875: GCC 10 warnings -Wtype-limits with JFR code
  - JDK-8250635: MethodArityHistogram should use Compile_lock in favour of fancy checks
  - JDK-8250876: Fix issues with cross-compile on macos
  - JDK-8251031: Some vmTestbase/nsk/monitoring/RuntimeMXBean tests fail with hostnames starting from digits
  - JDK-8251525: AARCH64: Faster Math.signum(fp)
  - JDK-8252259: AArch64: Adjust default value of FLOATPRESSURE
  - JDK-8252311: AArch64: save two words in itable lookup stub
  - JDK-8252779: compiler/graalunit/ failed after 8251525
  - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows
  - JDK-8253167: ARM32 builds fail after JDK-8247910
  - JDK-8253572: [windows] CDS archive may fail to open with long file names
  - JDK-8253923: C2 doesn't always run loop opts for compilations that include loops
  - JDK-8253948: Memory leak in ImageFileReader
  - JDK-8254631: Better support ALPN byte wire values in SunJSSE
  - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards
  - JDK-8255086: Update the root locale display names
  - JDK-8255625: AArch64: Implement Base64.encodeBlock accelerator/intrinsic
  - JDK-8255763: C2: OSR miscompilation caused by invalid memory instruction placement
  - JDK-8255992: JFR EventWriter does not use first string from StringPool with id 0
  - JDK-8256037: [TESTBUG] com/sun/jndi/dns/ConfigTests/ fails due to the hard coded threshold is small
  - JDK-8256244: java/lang/ProcessHandle/ fails with TestNG 7.1
  - JDK-8256287: [windows] add loop fuse to map_or_reserve_memory_aligned
  - JDK-8256523: Streamline Java SHA2 implementation
  - JDK-8257414: Drag n Drop target area is wrong on high DPI systems
  - JDK-8257569: Failure observed with JfrVirtualMemory::initialize
  - JDK-8257574: C2: "failed: parsing found no loops but there are some" assert failure
  - JDK-8257580: Bump update version for OpenJDK: jdk-11.0.12
  - JDK-8257604: JNI_ArgumentPusherVaArg leaks valist
  - JDK-8257621: JFR StringPool misses cached items across consecutive recordings
  - JDK-8257796: [TESTBUG] fails on x86_32
  - JDK-8257822: C2 crashes with SIGFPE due to a division that floats above its zero check
  - JDK-8257828: SafeFetch may crash if invoked in non-JavaThreads
  - JDK-8257853: Remove dependencies on JNF's JNI utility functions in AWT and 2D code
  - JDK-8257858: [macOS]: Remove JNF dependency from libosxsecurity/KeystoreImpl.m
  - JDK-8257860: [macOS]: Remove JNF dependency from libosxkrb5/SCDynamicStoreConfig.m
  - JDK-8257988: Remove JNF dependency from libsaproc/MacosxDebuggerLocal.m
  - JDK-8258414: OldObjectSample events too expensive
  - JDK-8258505: [TESTBUG] fails due to missing UnlockDiagnosticVMOptions
  - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues
  - JDK-8259061: C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it
  - JDK-8259227: C2 crashes with SIGFPE due to a division that floats above its zero check
  - JDK-8259232: Bad JNI lookup during printing
  - JDK-8259276: C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization
  - JDK-8259343: [macOS] Update JNI error handling in Cocoa code.
  - JDK-8259585: Accessible actions do not work on mac os x
  - JDK-8259651: [macOS] Replace JNF_COCOA_ENTER/EXIT macros
  - JDK-8259662: Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl
  - JDK-8259710: Inlining trace leaks memory
  - JDK-8259729: Missed JNFInstanceOf -> IsInstanceOf conversion
  - JDK-8259777: Incorrect predication condition generated by ADLC
  - JDK-8259786: initialize last parameter of getpwuid_r
  - JDK-8259843: initialize dli_fname array before calling dll_address_to_library_name
  - JDK-8259869: [macOS] Remove desktop module dependencies on JNF Reference APIs
  - JDK-8259886: Improve SSL session cache performance and scalability
  - JDK-8259983: do not use uninitialized expand_ms value in G1CollectedHeap::expand_heap_after_young_collection
  - JDK-8260030: Improve stringStream buffer handling
  - JDK-8260236: better init AnnotationCollector _contended_group
  - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized
  - JDK-8260284: C2: assert(_base == Int) failed: Not an Int
  - JDK-8260380: Upgrade to LittleCMS 2.12
  - JDK-8260420: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint
  - JDK-8260426: awt debug_mem.c DMem_AllocateBlock might leak memory
  - JDK-8260432: allocateSpaceForGP in freetypeScaler.c might leak memory
  - JDK-8260616: Removing remaining JNF dependencies in the java.desktop module
  - JDK-8260653: Unreachable nodes keep speculative types alive
  - JDK-8260707: java/lang/instrument/PremainClass/ times out
  - JDK-8260925: HttpsURLConnection does not work  with other JSSE provider.
  - JDK-8260926: Trace resource exhausted events unconditionally
  - JDK-8261020: Wrong format parameter in create_emergency_chunk_path
  - JDK-8261027: AArch64: Support for LSE atomics C++ HotSpot code
  - JDK-8261167: print_process_memory_info add a close call after fopen
  - JDK-8261170: Upgrade to freetype 2.10.4
  - JDK-8261198: [macOS] Incorrect JNI parameters in number conversion in A11Y code
  - JDK-8261235: C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check
  - JDK-8261261: The version extra fields needs to be overridable in jib-profiles.js
  - JDK-8261262: crashed with EXCEPTION_ACCESS_VIOLATION
  - JDK-8261354: SIGSEGV at MethodIteratorHost
  - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding
  - JDK-8261397: try catch Method failing to work when dividing an integer by 0
  - JDK-8261422: Adjust problematic String.format calls in jdk/internal/util/ outOfBoundsMessage
  - JDK-8261447: MethodInvocationCounters frequently run into overflow
  - JDK-8261481: Cannot read Kerberos settings in dynamic store on macOS Big Sur
  - JDK-8261505: Test test/hotspot/jtreg/gc/parallel/ killed by Linux OOM Killer
  - JDK-8261601: free memory in early return in Java_sun_nio_ch_sctp_SctpChannelImpl_receive0
  - JDK-8261649: AArch64: Optimize LSE atomics in C++ code
  - JDK-8261730: C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge
  - JDK-8261752: Multiple GC test are missing memory requirements
  - JDK-8261791: (sctp) handleSendFailed in SctpChannelImpl.c potential leaks
  - JDK-8261812: C2 compilation fails with assert(!had_error) failed: bad dominance
  - JDK-8261914: IfNode::fold_compares_helper faces non-canonicalized bool when running JRuby JSON workload
  - JDK-8262093: java/util/concurrent/tck/ failed "assert(false) failed: unexpected node"
  - JDK-8262110: DST starts from incorrect time in 2038
  - JDK-8262121: [11u] Redo 8244287: JFR: Methods samples have line number 0
  - JDK-8262163: Extend settings printout in jcmd VM.metaspace
  - JDK-8262295: C2: Out-of-Bounds Array Load from Clone Source
  - JDK-8262298: G1BarrierSetC2::step_over_gc_barrier fails with assert "bad barrier shape"
  - JDK-8262446: DragAndDrop hangs on Windows
  - JDK-8262461: handle wcstombsdmp return value correctly in unix awt_InputMethod.c
  - JDK-8262465: Very long compilation times and high memory consumption in C2 debug builds
  - JDK-8262726: AArch64: C1 StubAssembler::call_RT can corrupt stack
  - JDK-8262739: String inflation C2 intrinsic prevents insertion of anti-dependencies
  - JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames()
  - JDK-8262837: handle split_USE correctly
  - JDK-8262900: ToolBasicTest fails to access HTTP server it starts
  - JDK-8263260: [s390] Support latest hardware (z14 and z15)
  - JDK-8263311: Watch registry changes for remote printers update instead of polling
  - JDK-8263361: Incorrect arraycopy stub selected by C2 for SATB collectors
  - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
  - JDK-8263425: AArch64: two potential bugs in C1 LIRGenerator::generate_address()
  - JDK-8263448: CTW: fatal error: meet not symmetric
  - JDK-8263504: Some OutputMachOpcodes fields are uninitialized
  - JDK-8263557: Possible NULL dereference in Arena::destruct_contents()
  - JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true
  - JDK-8263676: AArch64: one potential bug in C1 LIRGenerator::generate_address()
  - JDK-8263729: [test] divert spurious output away from stream under test in ProcessBuilder Basic test
  - JDK-8263846: Bad JNI lookup getFocusOwner in accessibility code on Mac OS X
  - JDK-8264047: Duplicate global variable 'jvm' in libjavajpeg and libawt
  - JDK-8264096: slowdebug jvm crashes when StrInflatedCopy match rule is not supported
  - JDK-8264151: ciMethod::ensure_method_data() should return false is loading resulted in empty state
  - JDK-8264173: [s390] Improve Hardware Feature Detection And Reporting
  - JDK-8264190: Harden TLS interop tests
  - JDK-8264223: CodeHeap::verify fails extra_hops assertion in fastdebug test
  - JDK-8264328: Broken license in javax/swing/JComboBox/8072767/
  - JDK-8264360: Loop strip mining verification fails with "should be on the backedge"
  - JDK-8264626: C1 should be able to inline excluded methods
  - JDK-8264640: CMS ParScanClosure misses a barrier
  - JDK-8264786: [macos] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched
  - JDK-8264821: DirectIOTest fails on a system with large block size
  - JDK-8264848: [macos] libjvm.dylib linker warning due to macOS version mismatch
  - JDK-8264923: PNGImageWriter.write_zTXt throws Exception with a typo
  - JDK-8264958: C2 compilation fails with assert "n is later than its clone"
  - JDK-8265099: Revert backport to 11u of 8236859: WebSocket over authenticating proxy fails with NPE
  - JDK-8265154: vinserti128 operand mix up for KNL platforms
  - JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1
  - JDK-8265417: Backport of JDK-8249672 breaks Solaris x86 build
  - JDK-8265421: java/lang/String/ test is missing a memory requirement
  - JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod
  - JDK-8265537: x86 version string truncated after JDK-8249672 11u backport
  - JDK-8265666: Enable AIX build platform to make external debug symbols
  - JDK-8265677: CMS: CardTableBarrierSet::write_ref_array_work() lacks storestore barrier
  - JDK-8265690: Use the latest Ubuntu base image version in Docker testing
  - JDK-8265718: Build failure after JDK-8258414 11u backport
  - JDK-8265750: Fatal error in safepoint.cpp after backport of 8258414
  - JDK-8265784: [C2] Hoisting of DecodeN leaves MachTemp inputs behind
  - JDK-8265938: C2's conditional move optimization does not handle top Phi
  - JDK-8266220: keytool still prompt for store password on a password-less pkcs12 file if -storetype pkcs12 is specified
  - JDK-8266293: Key protection using PBEWithMD5AndDES fails with " Salt must be 8 bytes long"
  - JDK-8266713: [AIX] Build failure after 11u backport of JDK-8247753
  - JDK-8266802: Shenandoah: Round up region size to page size unconditionally
  - JDK-8266892: avoid maybe-uninitialized gcc warnings on linux s390x
  - JDK-8266929: Unable to use algorithms from 3p providers
  - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash
  - JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC
  - JDK-8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u
  - JDK-8267641: [11u] 8227609 backport typo
  - JDK-8267721: Enable sun/security/pkcs11 tests for Amazon Linux 2 AArch64
  - JDK-8268678: test fails as Let’s Encrypt Authority X3 is retired

Notes on individual issues:


JDK-8215293: Customizing PKCS12 keystore Generation
New system and security properties have been added to enable users to
customize the generation of PKCS #12 keystores. This includes
algorithms and parameters for key protection, certificate protection,
and MacData. The detailed explanation and possible values for these
properties can be found in the "PKCS12 KeyStore properties" section of
the `` file.

Also, support for the following SHA-2 based HmacPBE algorithms has
been added to the SunJCE provider:

* HmacPBESHA224
* HmacPBESHA256
* HmacPBESHA384
* HmacPBESHA512
* HmacPBESHA512/224
* HmacPBESHA512/256

JDK-8256902: Removed Root Certificates with 1024-bit Keys
The following root certificates with weak 1024-bit RSA public keys
have been removed from the `cacerts` keystore:

Alias Name: thawtepremiumserverca [jdk]
Distinguished Name: EMAILADDRESS=premium-server at, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

Alias Name: verisignclass2g2ca [jdk]
Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

Alias Name: verisignclass3ca [jdk]
Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

Alias Name: verisignclass3g2ca [jdk]
Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

Alias Name: verisigntsaca [jdk]
Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA

JDK-8261361: Removed Telia Company's Sonera Class2 CA certificate

The following root certificate have been removed from the cacerts truststore:

Alias Name: soneraclass2ca
Distinguished Name: CN=Sonera Class2 CA, O=Sonera, C=FI

JDK-8242069: Upgraded the Default PKCS12 Encryption and MAC Algorithms
The default encryption and MAC algorithms used in a PKCS #12 keystore
have been updated. The new algorithms are based on AES-256 and SHA-256
and are stronger than the old algorithms that were based on RC2,
DESede, and SHA-1. See the security properties starting with
`keystore.pkcs12` in the `` file for detailed

For compatibility, a new system property named
`keystore.pkcs12.legacy` is defined that will revert the algorithms to
use the older, weaker algorithms. There is no value defined for this


JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values
Certain TLS ALPN values couldn't be properly read or written by the
SunJSSE provider. This is due to the choice of Strings as the API
interface and the undocumented internal use of the UTF-8 Character Set
which converts characters larger than U+00007F (7-bit ASCII) into
multi-byte arrays that may not be expected by a peer.

ALPN values are now represented using the network byte representation
expected by the peer, which should require no modification for
standard 7-bit ASCII-based character Strings. However, SunJSSE now
encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1
characters.  This means applications that used characters above
U+000007F that were previously encoded using UTF-8 may need to either
be modified to perform the UTF-8 conversion, or set the Java security
property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior.

See the updated guide at
for more information.

JDK-8244460: Support for certificate_authorities Extension
The "certificate_authorities" extension is an optional extension
introduced in TLS 1.3. It is used to indicate the certificate
authorities (CAs) that an endpoint supports and should be used by the
receiving endpoint to guide certificate selection.

With this JDK release, the "certificate_authorities" extension is
supported for TLS 1.3 in both the client and the server sides.  This
extension is always present for client certificate selection, while it
is optional for server certificate selection.

Applications can enable this extension for server certificate
selection by setting the `jdk.tls.client.enableCAExtension` system
property to `true`.  The default value of the property is `false`.

Note that if the client trusts more CAs than the size limit of the
extension (less than 2^16 bytes), the extension is not enabled.  Also,
some server implementations do not allow handshake messages to exceed
2^14 bytes.  Consequently, there may be interoperability issues when
`jdk.tls.client.enableCAExtension` is set to `true` and the client
trusts more CAs than the server implementation limit.

Andrew :)
Pronouns: he / him or they / them
Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

More information about the jdk-updates-dev mailing list