Red Hat SummitChapter 3. Eclipse Temurin features
Eclipse Temurin does not contain structural changes from the upstream distribution of OpenJDK.
For more information about the changes and security fixes in the latest OpenJDK 11 release of Eclipse Temurin, see OpenJDK 11.0.27 Released.
3.1. New features and enhancements
Eclipse Temurin 11.0.28 includes the following new features and enhancements.
Fix for problematic SunPKCS11 provider checks on PKCS11 mechanism
In OpenJDK 14, the SunPKCS11 provider introduced the concept of legacy mechanisms, which was subsequently backported to OpenJDK 11. If a mechanism was found to be using a weak algorithm, this mechanism was considered legacy and it was subsequently disabled.
However, this approach proved inflexible in earlier releases. For example, you could not override the legacy determination to enable a disabled mechanism. Also, even if encryption was not being used, a mechanism that was being used for signing could be considered legacy and therefore disabled if it had a weak encryption algorithm. Similarly, a weak signing algorithm prevented use of the mechanism as a cipher for encryption or decryption.
OpenJDK 11.0.28 resolves these issues by introducing a new allowLegacy configuration property for the PKCS11 provider. You can override the legacy determination by setting the allowLegacy property to true. This property is set to false by default. From this release onward, the legacy determination also considers the service type by checking encryption algorithms only for ciphers and by checking signature algorithms only for signatures.
See JDK-8293345 (JDK Bug System).
Sectigo CS and TLS root certificates added
In OpenJDK 11.0.28, the cacerts truststore includes four Sectigo root certificates, including two code-signing (CS) certificates and two TLS certificates:
- Certificate 1
- Name: Sectigo Limited
- Alias name: sectigocodesignroote46
- Distinguished name: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB
- Certificate 2
- Name: Sectigo Limited
- Alias name: sectigocodesignrootr46
- Distinguished name: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB
- Certificate 3
- Name: Sectigo Limited
- Alias name: sectigotlsroote46
- Distinguished name: CN=Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB
- Certificate 4
- Name: Sectigo Limited
- Alias name: sectigotlsrootr46
- Distinguished name: CN=Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB
3.2. Deprecated features
The following pre-existing features have been either deprecated or removed in Eclipse Temurin 11.0.28:
Baltimore root certificate removed
From OpenJDK 11.0.28 onward, the cacerts truststore no longer includes the following Baltimore root certificate that expired in May 2025:
- Alias name: baltimorecybertrustca [jdk]
- Distinguished name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
See JDK-8303770 (JDK Bug System).
Camerfirma root CA certificates removed
From OpenJDK 11.0.28 onward, the cacerts truststore no longer includes the following expired Camerfirma root certificates:
- Certificate 1
- Alias name: camerfirmachamberscommerceca [jdk]
- Distinguished name: CN=Chambers of Commerce Root OU=http://www.chambersign.org O=AC Camerfirma SA CIF A82743287 C=EU
- SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3
- Certificate 2
- Alias name: camerfirmachambersignca [jdk]
- Distinguished name: CN=Global Chambersign Root - 2008 O=AC Camerfirma S.A. SERIALNUMBER=A82743287 L=Madrid (see current address at www.camerfirma.com/address) C=EU
- SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA
See JDK-8350498 (JDK Bug System).
Revised on 2025-07-24 17:40:35 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}