Red Hat SummitRelease notes for Red Hat build of OpenJDK 21.0.8
Abstract
Preface
Open Java Development Kit (OpenJDK) is a free and open source implementation of the Java Platform, Standard Edition (Java SE). The Red Hat build of OpenJDK is available in four versions: 8u, 11u, 17u, and 21u.
Packages for the Red Hat build of OpenJDK are made available on Red Hat Enterprise Linux and Microsoft Windows and shipped as a JDK and JRE in the Red Hat Ecosystem Catalog.
Providing feedback on Red Hat build of OpenJDK documentation
To report an error or to improve our documentation, log in to your Red Hat Jira account and submit an issue. If you do not have a Red Hat Jira account, then you will be prompted to create an account.
Procedure
- Click the following link to create a ticket.
- Enter a brief description of the issue in the Summary.
- Provide a detailed description of the issue or enhancement in the Description. Include a URL to where the issue occurs in the documentation.
- Clicking Create creates and routes the issue to the appropriate documentation team.
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. Support policy for Red Hat build of OpenJDK
Red Hat will support select major versions of Red Hat build of OpenJDK in its products. For consistency, these versions remain similar to Oracle JDK versions that are designated as long-term support (LTS).
A major version of Red Hat build of OpenJDK will be supported for a minimum of six years from the time that version is first introduced. For more information, see the OpenJDK Life Cycle and Support Policy.
RHEL 6 reached the end of life in November 2020. Because of this, Red Hat build of OpenJDK is not supporting RHEL 6 as a supported configuration.
Chapter 2. Differences from upstream OpenJDK 21
Red Hat build of OpenJDK in Red Hat Enterprise Linux contains a number of structural changes from the upstream distribution of OpenJDK. The Microsoft Windows version of Red Hat build of OpenJDK attempts to follow Red Hat Enterprise Linux updates as closely as possible.
The following list details the most notable Red Hat build of OpenJDK 21 changes:
- FIPS support. Red Hat build of OpenJDK 21 automatically detects whether RHEL is in FIPS mode and automatically configures Red Hat build of OpenJDK 21 to operate in that mode. This change does not apply to Red Hat build of OpenJDK builds for Microsoft Windows.
- Cryptographic policy support. Red Hat build of OpenJDK 21 obtains the list of enabled cryptographic algorithms and key size constraints from the RHEL system configuration. These configuration components are used by the Transport Layer Security (TLS) encryption protocol, the certificate path validation, and any signed JARs. You can set different security profiles to balance safety and compatibility. This change does not apply to Red Hat build of OpenJDK builds for Microsoft Windows.
-
The
src.zipfile includes the source for all of the JAR libraries shipped with Red Hat build of OpenJDK. - Red Hat build of OpenJDK on RHEL uses system-wide timezone data files as a source for timezone information.
- Red Hat build of OpenJDK on RHEL uses system-wide CA certificates.
- Red Hat build of OpenJDK on Microsoft Windows includes the latest available timezone data from RHEL.
- Red Hat build of OpenJDK on Microsoft Windows uses the latest available CA certificates from RHEL.
Chapter 3. Red Hat build of OpenJDK features
The latest Red Hat build of OpenJDK 21 release might include new features. Additionally, the latest release might enhance, deprecate, or remove features that originated from earlier Red Hat build of OpenJDK 21 releases.
For all the other changes and security fixes, see OpenJDK 21.0.8 Released.
3.1. Red Hat build of OpenJDK enhancements
Red Hat build of OpenJDK 21 provides enhancements to features originally created in earlier releases of Red Hat build of OpenJDK.
Fix for type annotations remaining invisible to javac plugins across compilation boundaries
In earlier Red Hat build of OpenJDK releases, the javac compiler provided access to type annotations only when types were loaded from source code files. If a type was loaded from bytecode, any type annotations were omitted.
In Red Hat build of OpenJDK 21.0.8, the TypeMirror interface also provides access to annotations for types that are loaded from bytecode. You can obtain these annotations by using the AnnotationMirror#getAnnotationMirrors method. These annotations are included in the output of the AnnotationMirror#toString method.
If your programs rely on type annotations being absent from elements that are loaded from bytecode, you must update these programs to handle type annotations.
Because of ongoing issues (see JDK-8360406), this feature is not enabled by default. If you want the javac compiler to include type annotations for types that are loaded from bytecode, specify the ‑XDaddTypeAnnotationsToSymbol=true option.
See JDK-8341779 (JDK Bug System).
Improved HTTP/2 flow control checks
Red Hat build of OpenJDK 21.0.8 enhances the HTTP/2 client implementation in java.net.http.HttpClient objects to report flow control errors to the server. This behavior is typically transparent in most situations. However, it might mean that streams are reset or connections are closed when connecting to an HTTP/2 server that does not correctly handle these errors.
You can use the following existing properties to adjust flow control limits:
jdk.httpclient.connectionWindowSize- Specifies the HTTP/2 client connection window size in bytes
-
Default value:
67108864(2^26, 64 MiB) -
Range:
2^16-1to2^31-1
jdk.httpclient.windowSize- Specifies the HTTP/2 client stream window size in bytes
-
Default value:
16777216(2^24, 16 MiB) -
Range:
2^14to2^31-1
If you specify an invalid value, the default value is used. This enhancement guarantees that the actual value for the connection window size is not smaller than the stream window size.
See JDK-8342075 (JDK Bug System).
New diagnostic commands for jcmd to print annotated process memory map
In Red Hat build of OpenJDK 21.0.8, the jcmd utility includes the following new commands for printing the virtual memory map of the JVM to either standard output (stdout) or a file.
jcmd <pid> System.map-
Prints the virtual memory map of the JVM identified by
<pid>tostdout jcmd <pid> System.dump_map-
Prints the virtual memory map of the JVM identified by
<pid>to avm_memory_map_<pid>.txtfile in the current directory
If native memory tracking (NMT) is enabled, these commands also print NMT information about the virtual memory segments.
See JDK-8318636 (JDK Bug System).
Updated HSS/LMS public key encoding
In Red Hat build of OpenJDK 21.0.8, the X.509 encoding format for hierarchical signature system (HSS) and Leighton-Micali signature (LMS) public keys now aligns with the latest standard in the Internet Engineering Task Force (IETF) RFC 9708. This enhancement also means that the OCTET_STRING wrapping around the public key value has been removed.
For compatibility with earlier releases, the JDK still detects the presence of distinguished encoding rules (DER) encoding when reading keys that were encoded before this release.
See JDK-8347596 (JDK Bug System).
Compatibility of OCSP readtimeout property with OCSP timeout
The initial release of Red Hat build of OpenJDK 21 introduced the com.sun.security.ocsp.readtimeout property, which specifies the timeout for reading Online Certificate Status Protocol (OCSP) data. This property was paired with the existing com.sun.security.ocsp.timeout property to provide greater control over the timeouts for OCSP connections and certificate retrieval. By using these properties, you can set timeouts for reading OCSP data and for the transport layer independently of each other.
In earlier Red Hat build of OpenJDK 21 releases, if you did not specify a value for com.sun.security.ocsp.readtimeout, the default timeout for reading OCSP data was 15 seconds.
In Red Hat build of OpenJDK 21.0.8, if you do not specify a value for com.sun.security.ocsp.readtimeout, the default timeout for reading OCSP data is based on the value of the com.sun.security.ocsp.timeout property. If you similarly do not specify a value for com.sun.security.ocsp.timeout, the default timeout is 15 seconds, as in earlier releases.
This enhancement matches the com.sun.security.ocsp.readtimeout behavior that was introduced in Red Hat build of OpenJDK 17.0.15. This enhancement also matches the default behavior that existed in Red Hat build of OpenJDK versions before the com.sun.security.ocsp.readtimeout property was introduced.
See JDK-8347506 (JDK Bug System).
Sectigo CS and TLS root certificates added
In Red Hat build of OpenJDK 21.0.8, the cacerts truststore includes four Sectigo root certificates, including two code-signing (CS) certificates and two TLS certificates:
- Certificate 1
- Name: Sectigo Limited
- Alias name: sectigocodesignroote46
- Distinguished name: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB
- Certificate 2
- Name: Sectigo Limited
- Alias name: sectigocodesignrootr46
- Distinguished name: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB
- Certificate 3
- Name: Sectigo Limited
- Alias name: sectigotlsroote46
- Distinguished name: CN=Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB
- Certificate 4
- Name: Sectigo Limited
- Alias name: sectigotlsrootr46
- Distinguished name: CN=Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB
See JDK-8359170 (JDK Bug System).
Fix for potential failures in region allocation when using the G1 garbage collector with multiple NUMA nodes
On non-uniform memory access (NUMA) systems, the operating system can choose to migrate a task from one NUMA node to another. In the Garbage-First (G1) garbage collector, G1AllocRegion objects are associated with NUMA nodes. The G1Allocator code obtains the G1AllocRegion object for the current thread only, but operating system scheduling can lead to arbitrary changes in the NUMA-to-thread association.
In earlier Red Hat build of OpenJDK releases, when using the G1 garbage collector with multiple NUMA nodes, a failure might have resulted when the G1AllocRegion object being used was changed mid-operation.
Red Hat build of OpenJDK 21.0.8 resolves this issue by ensuring that the same NUMA node and associated G1AllocRegion object are used throughout an operation.
3.2. Red Hat build of OpenJDK deprecated features
The following pre-existing features have been either deprecated or removed in Red Hat build of OpenJDK 21.0.8:
Baltimore root certificate removed
From Red Hat build of OpenJDK 21.0.8 onward, the cacerts truststore no longer includes the following Baltimore root certificate that expired in May 2025:
- Alias name: baltimorecybertrustca [jdk]
- Distinguished name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
See JDK-8303770 (JDK Bug System).
Camerfirma root CA certificates removed
From Red Hat build of OpenJDK 21.0.8 onward, the cacerts truststore no longer includes the following expired Camerfirma root certificates:
- Certificate 1
- Alias name: camerfirmachamberscommerceca [jdk]
- Distinguished name: CN=Chambers of Commerce Root OU=http://www.chambersign.org O=AC Camerfirma SA CIF A82743287 C=EU
- SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3
- Certificate 2
- Alias name: camerfirmachambersignca [jdk]
- Distinguished name: CN=Global Chambersign Root - 2008 O=AC Camerfirma S.A. SERIALNUMBER=A82743287 L=Madrid (see current address at www.camerfirma.com/address) C=EU
- SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA
Chapter 4. Advisories related to this release
The following advisories are issued to document bug fixes and CVE fixes included in this release:
Revised on 2025-10-24 10:36:23 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}