Chapter 4. Red Hat build of OpenJDK features
The latest Red Hat build of OpenJDK 11 release might include new features. Additionally, the latest release might enhance, deprecate, or remove features that originated from previous Red Hat build of OpenJDK 11 releases.
For all the other changes and security fixes, see OpenJDK 11.0.24 Released.
Red Hat build of OpenJDK new features and enhancements
Review the following release notes to understand new features and feature enhancements that Red Hat build of OpenJDK 11.0.24 provides:
DTLS 1.0 is disabled by default
OpenJDK 9 introduced support for both version 1.0 and version 1.2 of the Datagram Transport Layer Security (DTLS) protocol (JEP-219). DTLSv1.0, which is based on TLS 1.1, is no longer recommended for use, because this protocol is considered weak and insecure by modern standards. In Red Hat build of OpenJDK 11.0.24, if you attempt to use DTLSv1.0, the JDK throws an SSLHandshakeException
by default.
If you want to continue using DTLSv1.0, you can remove DTLSv1.0
from the jdk.tls.disabledAlgorithms
system property either by modifying the java.security
configuration file or by using the java.security.properties
system property.
Continued use of DTLSv1.0 is not recommended and is at the user’s own risk.
See JDK-8256660 (JDK Bug System).
RPATH
preferred over RUNPATH
for $ORIGIN
runtime search paths in internal JDK binaries
Native executables and libraries in the JDK use embedded runtime search paths (rpaths) to locate required internal JDK native libraries. On Linux systems, binaries can specify these search paths by using either DT_RPATH
or DT_RUNPATH
.
If a binary specifies search paths by using DT_RPATH
, these paths are searched before any paths that are specified in the LD_LIBRARY_PATH
environment variable. If a binary specifies search paths by using DT_RUNPATH
, these paths are searched only after paths that are specified in LD_LIBRARY_PATH
. This means that the use of DT_RUNPATH
can allow JDK internal libraries to be overridden by any libraries of the same name that are specified in LD_LIBRARY_PATH
, which is undesirable from a security perspective.
In earlier releases, the type of runtime search path used was based on the default search path for the dynamic linker. In Red Hat build of OpenJDK 11.0.24, to ensure that DT_RPATH
is used, the --disable-new-dtags
option is explicitly passed to the linker.
See JDK-8326891 (JDK Bug System).
GlobalSign R46 and E46 root certificates added
In Red Hat build of OpenJDK 11.0.24, the cacerts
truststore includes two GlobalSign TLS root certificates:
- Certificate 1
- Name: GlobalSign
- Alias name: globalsignr46
- Distinguished name: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE
- Certificate 2
- Name: GlobalSign
- Alias name: globalsigne46
- Distinguished name: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE