RELEASE NOTES: JDK 24.0.1

Notes generated: Wed Mar 12 08:13:12 CET 2025

JEPs

None.

RELEASE NOTES

security-libs/javax.net.ssl

Issue Description

Distrust TLS Server Certificates Anchored by Camerfirma Root Certificates and Issued After April 15, 2025

The JDK will stop trusting TLS server certificates issued after April 15, 2025 and anchored by Camerfirma root certificates, in line with similar plans announced by Google, Mozilla, Apple, and Microsoft.

TLS server certificates issued on or before April 15, 2025 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.

The restrictions are enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after April 15, 2025.

An application will receive an exception with a message indicating the trust anchor is not trusted, for example:

` "TLS Server certificate issued after 2025-04-15 and anchored by a distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU"`

The JDK can be configured to trust these certificates again by removing "CAMERFIRMA_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Camerfirma Root certificates included in the JDK:

Root Certificates distrusted after 2025-04-15
Distinguished Name	SHA-256 Fingerprint
CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU	0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3
CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU	06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0
CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU	13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.

core-svc/java.lang.management

Issue Description

Issue	Description
JDK-8350820	OperatingSystemMXBean CpuLoad() Methods Return -1.0 on Windows On Windows, the `OperatingSystemMXBean` CPU load methods, such as `getSystemCpuLoad`, `getCpuLoad`, and `getProcessCpuLoad`, always return -1. This error affects CPU usage monitoring of Windows targets. This issue was introduced during JDK 24 development. It does not affect earlier releases. It was found too late to be fixed in JDK 24, but will be resolved in an update release.
Resolved: OperatingSystemMXBean CpuLoad() Methods Return -1.0 on Windows On Windows, the `OperatingSystemMXBean` CPU load methods, `getSystemCpuLoad`, `getCpuLoad`, and `getProcessCpuLoad`, were failing and always returning -1. This error affected CPU usage monitoring of Windows targets. This is resolved in this release.

JDK-8350820

OperatingSystemMXBean CpuLoad() Methods Return -1.0 on Windows

On Windows, the OperatingSystemMXBean CPU load methods, such as getSystemCpuLoad, getCpuLoad, and getProcessCpuLoad, always return -1. This error affects CPU usage monitoring of Windows targets.

This issue was introduced during JDK 24 development. It does not affect earlier releases. It was found too late to be fixed in JDK 24, but will be resolved in an update release.

Resolved: OperatingSystemMXBean CpuLoad() Methods Return -1.0 on Windows

On Windows, the OperatingSystemMXBean CPU load methods, getSystemCpuLoad, getCpuLoad, and getProcessCpuLoad, were failing and always returning -1. This error affected CPU usage monitoring of Windows targets. This is resolved in this release.

FIXED ISSUES

client-libs/java.awt

Priority	Bug	Summary
P4	JDK-8346887	DrawFocusRect() may cause an assertion failure

client-libs/javax.imageio

Priority	Bug	Summary
P3	JDK-8347911	Limit the length of inflated text chunks

client-libs/javax.swing

Priority	Bug	Summary
P4	JDK-8346324	javax/swing/JScrollBar/4865918/bug4865918.java fails in CI

core-libs/java.lang:reflect

Priority	Bug	Summary
P4	JDK-8345614	Improve AnnotationFormatError message for duplicate annotation interfaces

core-libs/java.net

Priority	Bug	Summary
P4	JDK-8346712	Remove com/sun/net/httpserver/TcpNoDelayNotRequired.java test

core-libs/java.nio

Priority	Bug	Summary
P4	JDK-8211851	(ch) java/nio/channels/AsynchronousSocketChannel/StressLoopback.java times out (aix)

core-libs/java.time

Priority	Bug	Summary
P3	JDK-8347965	(tz) Update Timezone Data to 2025a

core-svc/java.lang.management

Priority	Bug	Summary
P2	JDK-8350820	OperatingSystemMXBean CpuLoad() methods return -1.0 on Windows
P4	JDK-8345684	OperatingSystemMXBean.getSystemCpuLoad() throws NPE

hotspot/compiler

Priority	Bug	Summary
P4	JDK-8346868	RISC-V: compiler/sharedstubs tests fail after JDK-8332689

hotspot/gc

Priority	Bug	Summary
P2	JDK-8347564	ZGC: Crash in DependencyContext::clean_unloading_dependents
P4	JDK-8346713	[testsuite] NeverActAsServerClassMachine breaks TestPLABAdaptToMinTLABSize.java TestPinnedHumongousFragmentation.java TestPinnedObjectContents.java
P4	JDK-8347256	Epsilon: Demote heap size and AlwaysPreTouch warnings to info level
P4	JDK-8346688	GenShen: Missing metadata trigger log message
P4	JDK-8346690	Shenandoah: Fix log message for end of GC usage report

hotspot/jfr

Priority	Bug	Summary
P3	JDK-8347496	Test jdk/jfr/jvm/TestModularImage.java fails after JDK-8347124: No javac

hotspot/jvmti

Priority	Bug	Summary
P4	JDK-8346082	Output JVMTI agent information in hserr files

hotspot/runtime

Priority	Bug	Summary
P3	JDK-8347129	cpuset cgroups controller is required for no good reason
P3	JDK-8290043	serviceability/attach/ConcAttachTest.java failed "guarantee(!CheckJNICalls) failed: Attached JNI thread exited without being detached"
P4	JDK-8345959	Make JVM_IsStaticallyLinked JVM_LEAF

infrastructure

Priority	Bug	Summary
P4	JDK-8346014	Bump version numbers for 24.0.1

security-libs/java.security

Priority	Bug	Summary
P3	JDK-8347506	Compatible OCSP readtimeout property with OCSP timeout
P3	JDK-8344361	Restore null return for invalid services from legacy providers
P4	JDK-8347424	Fix and rewrite sun/security/x509/DNSName/LeadingPeriod.java test

security-libs/javax.net.ssl

Priority	Bug	Summary
P3	JDK-8346587	Distrust TLS server certificates anchored by Camerfirma Root CAs
P4	JDK-8339356	Test javax/net/ssl/SSLSocket/Tls13PacketSize.java failed with java.net.SocketException: An established connection was aborted by the software in your host machine

tools/javac

Priority	Bug	Summary
P3	JDK-8349058	'internal proprietary API' warnings make javac warnings unusable

tools/jlink

Priority	Bug	Summary
P4	JDK-8347124	Clean tests with --enable-linkable-runtime
P4	JDK-8346239	Improve memory efficiency of JimageDiffGenerator
P4	JDK-8347334	JimageDiffGenerator code clean-ups

tools/jpackage

Priority	Bug	Summary
P4	JDK-8347299	Add annotations to test cases in LicenseTest