Red Hat SummitChapter 4. Red Hat build of OpenJDK new features and enhancements
The Red Hat build of OpenJDK 11.0.30 release includes the following new features or enhancements to existing features that were introduced in earlier releases.
For all the other changes and security fixes, see OpenJDK 11.0.30 Released.
Improved JMX connections
From Red Hat build of OpenJDK 11.0.30 onward, SSL connections created by javax.rmi.ssl.SslRMIClientSocketFactory objects enable HTTPS-based endpoint identification by default.
You can disable this feature by setting the jdk.rmi.ssl.client.enableEndpointIdentification property to false.
JDK bug system reference ID: JDK-8341496
Enhanced certificate checking
When the com.sun.security.enableAIAcaIssuers system property is set to true, Red Hat build of OpenJDK supports the authorityInfoAccess extension in X.509 certificates.
Red Hat build of OpenJDK 11.0.30 adds a new system and security property, com.sun.security.allowedAIALocations, that acts as a filter on the Uniform Resource Identifiers (URIs) that are specified in the authorityInfoAccess extension. By default, this property has an empty value, which means all URIs are denied when the extension is enabled. If you want to allow all URIs, set this property to any.
For more granular control, you can specify a whitespace-separated list of filters. The java.security file provides information on the syntax for the list of filters.
If you specify a value for the system property, it takes precedence over the security property.
JDK bug system reference ID: JDK-8368032
Mechanism for disabling different parts of the TLS cipher suite based on pattern matching
In earlier releases, the mechanisms for disabling TLS algorithms were either too general or too specific. For example, if you disabled an algorithm such as RSA, the JDK disabled all cipher suites that used this algorithm. In this situation, the only alternative was to disable each cipher suite specifically.
From Red Hat build of OpenJDK 11.0.30 onward, the jdk.tls.disabledAlgorithms security property in the java.security configuration file supports asterisk (*) wildcard characters for patterns that start with "TLS_". For example, TLS_RSA_* disables all cipher suites that start with TLS_RSA_.
See JDK-8341964 (JDK Bug System).
TLS_RSA cipher suites are disabled by default
The TLS Rivest-Shamir-Adleman (TLS_RSA) cipher suites do not preserve forward secrecy and they are rarely used. Red Hat build of OpenJDK 11.0.30 disables the TLS_RSA cipher suites by adding the TLS_RSA_* option to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. If you attempt to use the TLS_RSA cipher suites, Red Hat build of OpenJDK now throws an SSLHandshakeException error.
If you want to continue using the TLS_RSA cipher suites, you can remove TLS_RSA_* from the jdk.tls.disabledAlgorithms security property either by modifying the java.security configuration file or by using the java.security.properties system property.
Continued use of the TLS_RSA cipher suites is at your own risk.
RSA cipher suites that use DES, 3DES, RC4, or NULL were disabled previously. This change results in the following cipher suites also being disabled:
-
TLS_RSA_WITH_AES_256_GCM_SHA384 -
TLS_RSA_WITH_AES_256_CBC_SHA256 -
TLS_RSA_WITH_AES_256_CBC_SHA -
TLS_RSA_WITH_AES_128_GCM_SHA256 -
TLS_RSA_WITH_AES_128_CBC_SHA256 -
TLS_RSA_WITH_AES_128_CBC_SHA
See JDK-8245545 (JDK Bug System).
"Best-fit" mapping disabled in Windows command prompt
In earlier releases, on Windows platforms, the Java launcher used the American National Standards Institute (ANSI) version of the GetCommandLine() Win32 API call to obtain command-line arguments. In this situation, if the command-line arguments contained Unicode characters that did not exist in the ANSI code page, these arguments were converted to other characters based on the Windows "best fit" mapping. However, this mapping could have introduced unexpected characters and differed between code pages.
From Red Hat build of OpenJDK 11.0.30 onward, the JDK reads command-line arguments as Unicode characters and then converts them to the ANSI code page, using the default replacement for any unmappable character. If applications need to use unmappable characters as is, without replacement, ensure that you select UTF-8 in the Windows regional settings.
See JDK-8337506 (JDK Bug System).
Information improvements for container memory usage
From Red Hat build of OpenJDK 11.0.30 onward, the JDK provides additional information for containers by also including memory usage details for both the Resident Set Size (RSS) and the cache. These memory usage details are specified in bytes.
This additional information is visible in both of the following locations:
-
The output of the
jcmd <PID> VM.infocommand (where<PID>represents the running JVM) -
The
hs_errfile that is generated if the JVM terminates abruptly
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}