Chapter 2. Eclipse Temurin features

Eclipse Temurin 21.0.9 includes the following new features and enhancements.

XML Security for Java updated to Apache Santuario 3.0.5

From OpenJDK 21.0.9 onward, the XML signature implementation is based on Apache Santuario 3.0.5. This supersedes the behavior in earlier releases where the XML signature implementation was based on Apache Santuario 3.0.3.

This enhancement introduces the following four SHA-3-based ECDSA SignatureMethod algorithms:

Because the SignatureMethod constants for these algorithms are available in Java 25 only, use the following equivalent string literal values to obtain instances of these algorithms:

See JDK-8344137 (JDK Bug System).

Fix for GZIPInputStream using faulty available() method test for end of stream

The GZIPInputStream class supports concatenated GZIP streams and attempts to start reading a new stream after the previous stream ends.

In earlier releases, this attempt to read a new stream relied on the InputStream.available() method returning a value greater than zero. However, this method returns only an estimate of the number of bytes that can be read without blocking.

OpenJDK 21.0.9 resolves this issue by ensuring that GZIPInputStream objects no longer use the available() method test and always attempt to read a new stream.

See JDK-7036144 (JDK Bug System).

Mechanism for disabling different parts of the TLS cipher suite based on pattern matching

In earlier releases, the mechanisms for disabling TLS algorithms were either too general or too specific. For example, if you disabled an algorithm such as RSA, the JDK disabled all cipher suites that used this algorithm. In this situation, the only alternative was to disable each cipher suite specifically.

From OpenJDK 21.0.9 onward, the jdk.tls.disabledAlgorithms security property in the java.security configuration file supports asterisk (*) wildcard characters for patterns that start with "TLS_". For example, TLS_RSA_* disables all cipher suites that start with TLS_RSA_.

See JDK-8341964 (JDK Bug System).

Mechanism for disabling signature schemes based on their TLS scope

From OpenJDK 21.0.9 onward, the jdk.tls.disabledAlgorithms security property also accepts suffix values that specify and limit the use of specific algorithms. In this situation, you can specify that a particular algorithm may be used in TLS handshake exchanges only or for signing TLS certificates only.

Each suffix value must consist of the word usage and either HandshakeSignature for TLS handshake exchanges or CertificateSignature for TLS certificates. For example, rsa_pkcs1_sha1 usage HandshakeSignature indicates that the rsa_pkcs1_sha1 algorithm may be used in TLS handshake exchanges only and it cannot be used for signing TLS certificates.

See JDK-8349583 (JDK Bug System).

"Best-fit" mapping disabled in Windows command prompt

In earlier releases, on Windows platforms, the Java launcher used the American National Standards Institute (ANSI) version of the GetCommandLine() Win32 API call to obtain command-line arguments. In this situation, if the command-line arguments contained Unicode characters that did not exist in the ANSI code page, these arguments were converted to other characters based on the Windows "best fit" mapping. However, this mapping could have introduced unexpected characters and differed between code pages.

From OpenJDK 21.0.9 onward, the JDK reads command-line arguments as Unicode characters and then converts them to the ANSI code page, using the default replacement for any unmappable character. If applications need to use unmappable characters as is, without replacement, ensure that you select UTF-8 in the Windows regional settings.

See JDK-8337506 (JDK Bug System).

Information improvements for container memory usage

From OpenJDK 21.0.9 onward, the JDK provides additional information for containers by also including memory usage details for both the Resident Set Size (RSS) and the cache. These memory usage details are specified in bytes.

This additional information is visible in both of the following locations:

See JDK-8313083 (JDK Bug System).

Fix for SunMSCAPI provider to allow processes without elevated permissions to read local computer keystore certificates

In earlier releases, the SunMSCAPI provider required processes to have administrator privileges to access the local computer keystore.

From OpenJDK 21.0.9 onward, the SunMSCAPI provider allows processes without elevated permissions to access the keystore in read-only mode by using the CERT_STORE_MAXIMUM_ALLOWED_FLAG.

See JDK-8313367 (JDK Bug System).

The following pre-existing features have been either deprecated or removed in Eclipse Temurin 21.0.9:

AffirmTrust root CA certificates removed

From OpenJDK 21.0.9 onward, the cacerts truststore no longer includes the following AffirmTrust root certificates, which were deactivated in the OpenJDK 21.0.5 release in October 2024:

See JDK-8361212 (JDK Bug System).

Revised on 2025-10-31 15:49:32 UTC