Red Hat SummitEclipse Temurin 8.0.432 release notes
Abstract
Preface
Open Java Development Kit (OpenJDK) is a free and open-source implementation of the Java Platform, Standard Edition (Java SE). Eclipse Temurin is available in four LTS versions: OpenJDK 8u, OpenJDK 11u, OpenJDK 17u, and OpenJDK 21u.
Binary files for Eclipse Temurin are available for macOS, Microsoft Windows, and multiple Linux x86 Operating Systems including Red Hat Enterprise Linux and Ubuntu.
Providing feedback on Red Hat build of OpenJDK documentation
To report an error or to improve our documentation, log in to your Red Hat Jira account and submit an issue. If you do not have a Red Hat Jira account, then you will be prompted to create an account.
Procedure
- Click the following link to create a ticket.
- Enter a brief description of the issue in the Summary.
- Provide a detailed description of the issue or enhancement in the Description. Include a URL to where the issue occurs in the documentation.
- Clicking Create creates and routes the issue to the appropriate documentation team.
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. Support policy for Eclipse Temurin
Red Hat will support select major versions of Eclipse Temurin in its products. For consistency, these are the same versions that Oracle designates as long-term support (LTS) for the Oracle JDK.
A major version of Eclipse Temurin will be supported for a minimum of six years from the time that version is first introduced. For more information, see the Eclipse Temurin Life Cycle and Support Policy.
RHEL 6 reached the end of life in November 2020. Because of this, Eclipse Temurin does not support RHEL 6 as a supported configuration.
Chapter 2. Eclipse Temurin features
Eclipse Temurin does not contain structural changes from the upstream distribution of OpenJDK.
For the list of changes and security fixes that the latest OpenJDK 8 release of Eclipse Temurin includes, see OpenJDK 8u432 Released.
New features and enhancements
Eclipse Temurin 8.0.432 includes the following new features and enhancements.
TLS_ECDH_* cipher suites are disabled by default
The TLS Elliptic-curve Diffie-Hellman (TLS_ECDH) cipher suites do not preserve forward secrecy and they are rarely used. OpenJDK 8.0.432 disables the TLS_ECDH cipher suites by adding the ECDH option to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. If you attempt to use the TLS_ECDH cipher suites, OpenJDK now throws an SSLHandshakeException error.
If you want to continue using the TLS_ECDH cipher suites, you can remove ECDH from the jdk.tls.disabledAlgorithms security property either by modifying the java.security configuration file or by using the java.security.properties system property.
Continued use of the TLS_ECDH cipher suites is at your own risk.
ECDH cipher suites that use RC4 were disabled in an earlier release. This change does not affect the TLS_ECDHE cipher suites, which remain enabled by default.
See JDK-8279164 (JDK Bug System).
Distrust of TLS server certificates issued after 11 November 2024 and anchored by Entrust root CAs
In accordance with similar plans that Google and Mozilla recently announced, OpenJDK 8.0.432 distrusts TLS certificates that are issued after 11 November 2024 and anchored by Entrust root certificate authorities (CAs). This change in behavior includes any certificates that are branded as AffirmTrust, which are managed by Entrust.
OpenJDK will continue to trust certificates that are issued on or before 11 November 2024 until these certificates expire.
If a server’s certificate chain is anchored by an affected certificate, any attempts to negotiate a TLS session now fail with an exception to indicate that the trust anchor is not trusted. For example:
TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net CertificationAuthority (2048), OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
You can check whether this change affects a certificate in a JDK keystore by using the following keytool command:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If this change affects any certificate in the chain, update this certificate or contact the organization that is responsible for managing the certificate.
If you want to continue using TLS server certificates that are anchored by Entrust root certificates, you can remove ENTRUST_TLS from the jdk.security.caDistrustPolicies security property either by modifying the java.security configuration file or by using the java.security.properties system property.
Continued use of the distrusted TLS server certificates is at your own risk.
These restrictions apply to the following Entrust root certificates that OpenJDK includes:
- Certificate 1
- Alias name: entrustevca [jdk]
- Distinguished name: CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US
- SHA256: 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C
- Certificate 2
- Alias name: entrustrootcaec1 [jdk]
- Distinguished name: CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
- SHA256: 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
- Certificate 3
- Alias name: entrustrootcag2 [jdk]
- Distinguished name: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
- SHA256: 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
- Certificate 4
- Alias name: entrustrootcag4 [jdk]
- Distinguished name: CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-termsO=Entrust, Inc., C=US
- SHA256: DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88
- Certificate 5
- Alias name: entrust2048ca [jdk]
- Distinguished name: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
- SHA256: 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
- Certificate 6
- Alias name: affirmtrustcommercialca [jdk]
- Distinguished name: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
- SHA256: 03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7
- Certificate 7
- Alias name: affirmtrustnetworkingca [jdk]
- Distinguished name: CN=AffirmTrust Networking, O=AffirmTrust, C=US
- SHA256: 0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B
- Certificate 8
- Alias name: affirmtrustpremiumca [jdk]
- Distinguished name: CN=AffirmTrust Premium, O=AffirmTrust, C=US
- SHA256: 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A
- Certificate 9
- Alias name: affirmtrustpremiumeccca [jdk]
- Distinguished name: CN=AffirmTrust Premium ECCO=AffirmTrust, C=US
- SHA256: BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23
See JDK-8337664 (JDK Bug System) and JDK-8341059 (JDK Bug System).
SSL.com root certificates added
In OpenJDK 8.0.432, the cacerts truststore includes two SSL.com TLS root certificates:
- Certificate 1
- Name: SSL.com
- Alias name: ssltlsrootecc2022
- Distinguished name: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
- Certificate 2
- Name: SSL.com
- Alias name: ssltlsrootrsa2022
- Distinguished name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
See JDK-8341057 (JDK Bug System).
Relaxation of Java Abstract Window Toolkit (AWT) Robot specification
OpenJDK 8.0.432 is based on the latest maintenance release of the Java 8 specification. This release relaxes the specification of the following three methods in the java.awt.Robot class:
-
mouseMove(int,int) -
getPixelColor(int,int) -
createScreenCapture(Rectangle)
This relaxation of the specification allows these methods to fail when the desktop environment does not permit moving the mouse pointer or capturing screen content.
See JDK-8307779 (JDK Bug System).
Changes to com.sun.jndi.ldap.object.trustSerialData system property
The JDK implementation of the LDAP provider no longer supports the deserialization of Java objects by default.
In OpenJDK 8.0.432, the com.sun.jndi.ldap.object.trustSerialData system property is set to false by default. This release also increases the scope of the com.sun.jndi.ldap.object.trustSerialData property to cover the reconstruction of RMI remote objects from the javaRemoteLocation LDAP attribute.
These changes mean that transparent deserialization of Java objects now requires an explicit opt-in. From OpenJDK 8.0.432 onward, if you want to allow applications to reconstruct Java objects and RMI stubs from LDAP attributes, you must explicitly set the com.sun.jndi.ldap.object.trustSerialData property to true.
See JDK-8290367 (JDK Bug System) and JDK bug system reference ID: JDK-8332643.
HTTP client enhancements
OpenJDK 8.0.432 limits the maximum header field size that the HTTP client accepts within the JDK for all supported versions of the HTTP protocol. The header field size is computed as the sum of the size of the uncompressed header name, the size of the uncompressed header value, and an overhead of 32 bytes for each field section line. If a peer sends a field section that exceeds this limit, a java.net.ProtocolException is raised.
OpenJDK 8.0.432 introduces a jdk.http.maxHeaderSize system property that you can use to change the maximum header field size (in bytes). Alternatively, you can disable the maximum header field size by setting the jdk.http.maxHeaderSize property to zero or a negative value. The jdk.http.maxHeaderSize property is set to 393,216 bytes (that is, 384KB) by default.
JDK bug system reference ID: JDK-8328286.
Fix for infinite loop in ZipOutputStream.close() method
In earlier releases, when an exception was thrown during closure, the DeflaterOutputStream.close(), GZIPOutputStream.finish(), and ZipOutputStream.closeEntry() methods did not close the associated default JDK compressor.
OpenJDK 8.0.432 resolves this issue by ensuring that the default compressor is closed before propagating the Throwable object up the call stack. In the case of ZipOutputStream, the default compressor is closed only when the exception is not a ZipException.
See JDK-8193682 (JDK Bug System).
Revised on 2024-10-30 09:27:28 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}