RELEASE NOTES: JDK 23.0.1

Notes generated: Mon Nov 04 16:42:19 CET 2024

JEPs

None.

RELEASE NOTES

security-libs/javax.net.ssl

Issue Description

Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024

The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.

TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.

The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.

An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:

` TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net`

If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Entrust Root certificates included in the JDK:

Root Certificates distrusted after 2024-11-11
Distinguished Name	SHA-256 Fingerprint
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US	73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C
CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US	02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US	43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US	DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88
CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net	6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
CN=AffirmTrust Commercial, O=AffirmTrust, C=US	03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7
CN=AffirmTrust Networking, O=AffirmTrust, C=US	0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B
CN=AffirmTrust Premium, O=AffirmTrust, C=US	70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A
CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US	BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.

JDK-8341059

Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024

An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:

The restrictions are imposed on the following Entrust Root certificates included in the JDK:

Root Certificates distrusted after 2024-11-11
Distinguished Name	SHA-256 Fingerprint
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US	73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C
CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US	02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US	43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US	DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88
CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net	6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
CN=AffirmTrust Commercial, O=AffirmTrust, C=US	03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7
CN=AffirmTrust Networking, O=AffirmTrust, C=US	0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B
CN=AffirmTrust Premium, O=AffirmTrust, C=US	70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A
CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US	BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

security-libs/java.security

Issue	Description
JDK-8341057	Added SSL.com TLS Root CA Certificates Issued in 2022 The following root certificates have been added to the cacerts truststore: ``` + SSL.com + ssltlsrootecc2022 DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US SSL.com ssltlsrootrsa2022 DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US ```

Issue

Description

JDK-8341057

Added SSL.com TLS Root CA Certificates Issued in 2022

The following root certificates have been added to the cacerts truststore: ``` + SSL.com + ssltlsrootecc2022 DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US

SSL.com
ssltlsrootrsa2022 DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US ```

FIXED ISSUES

client-libs/2d

Priority	Bug	Summary
P4	JDK-8334123	log the opening of Type 1 fonts

client-libs/javax.swing

Priority	Bug	Summary
P3	JDK-6967482	TAB-key does not work in JTables after selecting details-view in JFileChooser
P4	JDK-8166352	FilePane.createDetailsView() removes JTable TAB, SHIFT-TAB functionality

core-libs/java.nio

Priority	Bug	Summary
P3	JDK-8338696	(fs) BasicFileAttributes.creationTime() falls back to epoch if birth time is unavailable (Linux)
P4	JDK-8299813	java/nio/channels/DatagramChannel/Disconnect.java fails with jtreg test timeout due to lost datagram
P4	JDK-8336301	test/jdk/java/nio/channels/AsyncCloseAndInterrupt.java leaves around a FIFO file upon test completion

hotspot/compiler

Priority	Bug	Summary
P4	JDK-8333652	RISC-V: compiler/vectorapi/VectorGatherMaskFoldingTest.java fails when using RVV
P5	JDK-8335536	Fix assertion failure in IdealGraphPrinter when append is true

hotspot/gc

Priority	Bug	Summary
P4	JDK-8333716	Shenandoah: Check for disarmed method before taking the nmethod lock
P4	JDK-8331411	Shenandoah: Reconsider spinning duration in ShenandoahLock

hotspot/jvmti

Priority	Bug	Summary
P4	JDK-8335775	Remove extraneous 's' in comment of rawmonitor.cpp test file

hotspot/runtime

Priority	Bug	Summary
P4	JDK-8334239	Introduce macro for ubsan method/function exclusions
P4	JDK-8332818	ubsan: archiveHeapLoader.cpp:70:27: runtime error: applying non-zero offset 18446744073707454464 to null pointer
P4	JDK-8333887	ubsan: unsafe.cpp:247:13: runtime error: store to null pointer of type 'volatile int'

infrastructure

Priority	Bug	Summary
P4	JDK-8334041	Bump version numbers for 23.0.1

infrastructure/build

Priority	Bug	Summary
P4	JDK-8333676	JCK_RETRY_COUNT appears to not work

security-libs/java.security

Priority	Bug	Summary
P2	JDK-8341057	Add 2 SSL.com TLS roots

security-libs/javax.net.ssl

Priority	Bug	Summary
P2	JDK-8341059	Change Entrust TLS distrust date to November 12, 2024
P3	JDK-8337664	Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
P4	JDK-8332524	Instead of printing "TLSv1.3," it is showing "TLS13"

tools/jpackage

Priority	Bug	Summary
P4	JDK-8325525	Create jtreg test case for JDK-8325203