RELEASE NOTES: JDK 13.0.9

Notes generated: Tue Apr 02 19:31:25 CEST 2024

JEPs

None.

RELEASE NOTES

security-libs/javax.net.ssl

Issue Description

Issue	Description
JDK-8254631	Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 Character Set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer. ALPN values are now represented using the network byte representation expected by the peer, which should require no modification for standard 7-bit ASCII-based character Strings. However, SunJSSE now encodes/decodes String characters as 8-bit ISO88591/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior.
Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer. SunJSSE now encodes/decodes String characters as 8-bit ISO88591/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior. See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.
JDK-8206925	Support for certificate_authorities Extension The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection. With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection. Applications can enable this extension for server certificate selection by setting the `jdk.tls.client.enableCAExtension` system property to `true`. The default value of the property is `false`. Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when `jdk.tls.client.enableCAExtension` is set to `true` and the client trusts more CAs than the server implementation limit.

Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values

Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 Character Set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.

ALPN values are now represented using the network byte representation expected by the peer, which should require no modification for standard 7-bit ASCII-based character Strings. However, SunJSSE now encodes/decodes String characters as 8-bit ISO88591/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset to "UTF-8" revert the behavior.

Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values

Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.

SunJSSE now encodes/decodes String characters as 8-bit ISO88591/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset to "UTF-8" revert the behavior.

See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.

JDK-8206925

Support for certificate_authorities Extension

The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection.

With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection.

Applications can enable this extension for server certificate selection by setting the jdk.tls.client.enableCAExtension system property to true. The default value of the property is false.

Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when jdk.tls.client.enableCAExtension is set to true and the client trusts more CAs than the server implementation limit.

security-libs/java.security

Issue Description

Issue	Description
JDK-8172404	Tools Warn If Weak Algorithms Are Used The `keytool` and `jarsigner` tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the `jdk.security.legacyAlgorithms` security property in the `java.security` configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.

JDK-8172404

Tools Warn If Weak Algorithms Are Used

The keytool and jarsigner tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the jdk.security.legacyAlgorithms security property in the java.security configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.

FIXED ISSUES

client-libs

Priority	Bug	Summary
P4	JDK-8273671	Backport of 8260616 misses one JNF header inclusion removal

client-libs/2d

Priority	Bug	Summary
P3	JDK-8262392	Update Mesa 3-D Headers to version 21.0.3

client-libs/java.awt

Priority	Bug	Summary
P2	JDK-8272602	[macOS] not all KEY_PRESSED events sent when control modifier is used
P3	JDK-8270216	[macOS] Update named used for Java run loop mode

client-libs/javax.accessibility

Priority	Bug	Summary
P3	JDK-8268775	Password is being converted to String in AccessibleJPasswordField

client-libs/javax.sound

Priority	Bug	Summary
P4	JDK-8266248	Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5

client-libs/javax.swing

Priority	Bug	Summary
P3	JDK-8258373	Update the text handling in the JPasswordField

core-libs

Priority	Bug	Summary
P4	JDK-8257620	Do not use objc_msgSend_stret to get macOS version

core-libs/java.net

Priority	Bug	Summary
P4	JDK-8254967	com.sun.net.HttpsServer spins on TLS session close

hotspot/compiler

Priority	Bug	Summary
P2	JDK-8263361	Incorrect arraycopy stub selected by C2 for SATB collectors
P2	JDK-8226871	invalid use of incomplete type class MacroAssembler when building minimal after JDK-8191278
P2	JDK-8191278	MappedByteBuffer bulk access memory failures are not handled gracefully
P2	JDK-8226878	zero crashes after JDK-8191278
P4	JDK-8267625	AARCH64: typo in LIR_Assembler::emit_profile_type
P4	JDK-8229254	solaris_x64 build fails after JDK-8191278

hotspot/gc

Priority	Bug	Summary
P2	JDK-8259271	gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region"
P2	JDK-8257999	Parallel GC crash in gc/parallel/TestDynShrinkHeap.java: new region is not in covered_region
P2	JDK-8260704	ParallelGC: oldgen expansion needs release-store for _end

hotspot/jvmti

Priority	Bug	Summary
P4	JDK-8253899	Make IsClassUnloadingEnabled signature match specification

hotspot/runtime

Priority	Bug	Summary
P3	JDK-8268635	Corrupt oop in ClassLoaderData
P3	JDK-8269934	RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status

hotspot/svc-agent

Priority	Bug	Summary
P4	JDK-8261236	C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled

infrastructure

Priority	Bug	Summary
P4	JDK-8269390	Bump update version for OpenJDK: jdk-13.0.9

infrastructure/build

Priority	Bug	Summary
P4	JDK-8261109	[macOS] Remove disabled warning for JNF in make/autoconf/flags-cflags.m4

security-libs/java.security

Priority	Bug	Summary
P3	JDK-8172404	Tools should warn if weak algorithms are used before restricting them

security-libs/javax.net.ssl

Priority	Bug	Summary
P3	JDK-8254631	Better support ALPN byte wire values in SunJSSE
P3	JDK-8206925	Support the certificate_authorities extension
P3	JDK-8268965	TCP Connection Reset when connecting simple socket to SSL server
P4	JDK-8270317	Large Allocation in CipherSuite
P4	JDK-8215712	Parsing extension failure may alert decode_error

security-libs/jdk.security

Priority	Bug	Summary
P4	JDK-8241888	Mirror jdk.security.allowNonCaAnchor system property with a security one