RELEASE NOTES FOR: 11.0.30 ==================================================================================================== Notes generated: Fri Dec 12 05:21:29 CET 2025 Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry. JAVA ENHANCEMENT PROPOSALS (JEP): None. RELEASE NOTES: security-libs/javax.net.ssl: JDK-8245545: Disabled TLS_RSA Cipher Suites The TLS_RSA cipher suites have been disabled by default, by adding "TLS_RSA_*" to the `jdk.tls.disabledAlgorithms` security property in the `java.security` configuration file. The TLS_RSA cipher suites do not preserve forward-secrecy and are not commonly used. Some TLS_RSA cipher suites are already disabled because they use DES, 3DES, RC4, or NULL, which are disabled. This action disables all remaining TLS_RSA cipher suites. Any attempts to use cipher suites starting with "TLS_RSA_" will fail with an `SSLHandshakeException`. Users can, at their own risk, re-enable these cipher suites by removing "TLS_RSA_*" from the `jdk.tls.disabledAlgorithms` security property. The following previously enabled cipher suites are now disabled: TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA JDK-8341964: Mechanism to Disable TLS Cipher Suites by Pattern Matching TLS cipher suites can be disabled with the `jdk.tls.disabledAlgorithms` security property in the `java.security` configuration file using one or more `*` wildcard characters. For example, "TLS_RSA_*" disables all cipher suites that start with "TLS_RSA_". Only cipher suites starting with "TLS_" are allowed to have wildcard characters. tools/launcher: JDK-8337506: Disable "best-fit" Mapping on Windows Command Line Command line arguments to the Java launcher are no longer converted with [Windows' "best-fit" mapping](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ucoderef/d1980631-6401-428e-a49d-d71394be7da8) when the arguments include unmappable characters for the ANSI code page. This mapping has been intervening in the Java launcher's argument parsing. Unmappable characters are now replaced with the default replacement character, such as '?' in some cases. For rare cases, where applications need those unmappable characters on the command line, select UTF-8 in Windows Regional Settings. hotspot/runtime: JDK-8313083: Print 'rss' and 'cache' As Part of the Container Information The HotSpot runtime code has been updated to additionally print a container's 'rss' and 'cache'. The additional output can be found in the JVM's response to a "jcmd [PID] VM.info" request and in the `hs_err` file generated in case of JVM abrupt termination. This will help monitoring and troubleshooting OutOfMemory situations as OOM killer can terminate a process if its `rss` + `cache` usage reaches the max memory limit of the container. ALL FIXED ISSUES, BY COMPONENT AND PRIORITY: client-libs: (P4) JDK-8271456: Avoid looking up standard charsets in "java.desktop" module (P5) JDK-8274893: Update java.desktop classes to use try-with-resources client-libs/2d: (P3) JDK-8263622: The java.awt.color.ICC_Profile#setData invert the order of bytes for the "head" tag (P3) JDK-8355528: Update HarfBuzz to 11.2.0 (P4) JDK-8366359: Test should throw SkippedException when there is no lpstat client-libs/javax.imageio: (P3) JDK-8347911: Limit the length of inflated text chunks client-libs/javax.sound: (P3) JDK-8350813: Rendering of bulky sound bank from MIDI sequence can cause OutOfMemoryError client-libs/javax.swing: (P3) JDK-8213781: web page background renders blue in JEditorPane (P4) JDK-4895924: Strings in format #rgb not handled by Color.decode() (affects CSS / Swing) core-libs/java.lang: (P4) JDK-8368192: Test java/lang/ProcessBuilder/Basic.java#id0 fails with Exception: Stack trace core-libs/java.net: (P4) JDK-8359402: Test CloseDescriptors.java should throw SkippedException when there is no lsof/sctp core-libs/java.util.concurrent: (P4) JDK-8351933: Inaccurate masking of TC subfield decrement in ForkJoinPool core-libs/java.util.jar: (P4) JDK-8299748: java/util/zip/Deinflate.java failing on s390x hotspot/compiler: (P3) JDK-8354941: Build failure with glibc 2.42 due to uabs() name collision (P5) JDK-8257709: C1: Double assignment in InstructionPrinter::print_stack hotspot/gc: (P4) JDK-8366125: [11u] Test compiler/loopopts/TestRangeCheckPredicatesControl.java fails OOM hotspot/runtime: (P3) JDK-8347129: cpuset cgroups controller is required for no good reason (P3) JDK-8313083: Print 'rss' and 'cache' as part of the container information (P4) JDK-8264524: jdk/internal/platform/docker/TestDockerMemoryMetrics.java fails due to swapping not working hotspot/test: (P4) JDK-8358004: Delete applications/scimark/Scimark.java test infrastructure/build: (P3) JDK-8357657: [11u][windows] cannot stat '/jdk.crypto.ec/*': No such file or directory (P4) JDK-8336451: [11u] GHA macos-13 and macos-15 builders are unable to resolve local hostname (P4) JDK-8224087: Compile C code for at least C99 Standard compliance (P4) JDK-8369226: GHA: Switch to MacOS 15 (P4) JDK-8341861: GHA: Use only retention mechanism to remove bundles infrastructure/release_eng: (P4) JDK-8366572: Bump update version of OpenJDK: 11.0.30 other-libs: (P4) JDK-8364597: Replace THL A29 Limited with Tencent security-libs/java.security: (P4) JDK-8336854: CAInterop.java#actalisauthenticationrootca conflicted with /manual and /timeout (P4) JDK-8368982: Test sun/security/tools/jarsigner/EC.java completed and timed out security-libs/javax.net.ssl: (P3) JDK-8341964: Add mechanism to disable different parts of TLS cipher suite (P3) JDK-8245545: Disable TLS_RSA cipher suites security-libs/jdk.security: (P3) JDK-8353299: VerifyJarEntryName.java test fails (P4) JDK-8339280: jarsigner -verify performs cross-checking between CEN and LOC (P4) JDK-8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName tools/javadoc(tool): (P4) JDK-8347381: Upgrade jQuery UI to version 1.14.1 tools/launcher: (P4) JDK-8337506: Disable "best-fit" mapping on Windows command line