RELEASE NOTES FOR: 24.0.1 ==================================================================================================== Notes generated: Sun Jun 15 07:24:15 CEST 2025 Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry. JAVA ENHANCEMENT PROPOSALS (JEP): None. RELEASE NOTES: security-libs/javax.net.ssl: JDK-8346587: Distrust TLS Server Certificates Anchored by Camerfirma Root Certificates and Issued After April 15, 2025 The JDK will stop trusting TLS server certificates issued after April 15, 2025 and anchored by Camerfirma root certificates, in line with similar plans announced by Google, Mozilla, Apple, and Microsoft. TLS server certificates issued on or before April 15, 2025 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected. The restrictions are enforced in the JDK implementation (the `SunJSSE` Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after April 15, 2025. An application will receive an exception with a message indicating the trust anchor is not trusted, for example: ``` "TLS Server certificate issued after 2025-04-15 and anchored by a distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU" ``` The JDK can be configured to trust these certificates again by removing "CAMERFIRMA_TLS" from the `jdk.security.caDistrustPolicies` security property in the `java.security` configuration file. The restrictions are imposed on the following Camerfirma Root certificates included in the JDK:
Root Certificates distrusted after 2025-04-15
Distinguished Name SHA-256 Fingerprint
CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU

0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3

CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0

CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA

You can also use the `keytool` utility from the JDK to print out details of the certificate chain, as follows: keytool -v -list -alias -keystore If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server. security-libs/java.security: JDK-8347506: Compatible OCSP readtimeout Property with OCSP Timeout In JDK 21, an enhanced syntax for various timeout properties was released through JDK-8179502. This included a new system property, `com.sun.security.ocsp.readtimeout`, which allows users to control the timeout while reading OCSP responses after a successful TCP connection has been established. This changes the default posture of this property to be the value of the `com.sun.security.ocsp.timeout` system property from its original default of 15 seconds. If the `com.sun.security.ocsp.timeout` system property is also not set, then its default 15 second timeout is propagated to the default for `com.sun.security.ocsp.readtimeout`. core-svc/java.lang.management: JDK-8350820: OperatingSystemMXBean CpuLoad() Methods Return -1.0 on Windows On Windows, the `OperatingSystemMXBean` CPU load methods, such as `getSystemCpuLoad`, `getCpuLoad`, and `getProcessCpuLoad`, always return -1. This error affects CPU usage monitoring of Windows targets. This issue was introduced during JDK 24 development. It does not affect earlier releases. It was found too late to be fixed in JDK 24, but will be resolved in an update release. JDK-8350820: Resolved: OperatingSystemMXBean CpuLoad() Methods Return -1.0 on Windows On Windows, the `OperatingSystemMXBean` CPU load methods, `getSystemCpuLoad`, `getCpuLoad`, and `getProcessCpuLoad`, were failing and always returning -1. This error affected CPU usage monitoring of Windows targets. This is resolved in this release. ALL FIXED ISSUES, BY COMPONENT AND PRIORITY: client-libs/java.awt: (P4) JDK-8346887: DrawFocusRect() may cause an assertion failure client-libs/javax.imageio: (P3) JDK-8347911: Limit the length of inflated text chunks client-libs/javax.swing: (P4) JDK-8346324: javax/swing/JScrollBar/4865918/bug4865918.java fails in CI core-libs/java.lang:reflect: (P4) JDK-8345614: Improve AnnotationFormatError message for duplicate annotation interfaces core-libs/java.net: (P4) JDK-8346712: Remove com/sun/net/httpserver/TcpNoDelayNotRequired.java test core-libs/java.nio: (P4) JDK-8211851: (ch) java/nio/channels/AsynchronousSocketChannel/StressLoopback.java times out (aix) core-libs/java.time: (P3) JDK-8347965: (tz) Update Timezone Data to 2025a core-svc/java.lang.management: (P2) JDK-8350820: OperatingSystemMXBean CpuLoad() methods return -1.0 on Windows (P4) JDK-8345684: OperatingSystemMXBean.getSystemCpuLoad() throws NPE hotspot/compiler: (P4) JDK-8346868: RISC-V: compiler/sharedstubs tests fail after JDK-8332689 hotspot/gc: (P2) JDK-8347564: ZGC: Crash in DependencyContext::clean_unloading_dependents (P4) JDK-8346713: [testsuite] NeverActAsServerClassMachine breaks TestPLABAdaptToMinTLABSize.java TestPinnedHumongousFragmentation.java TestPinnedObjectContents.java (P4) JDK-8347256: Epsilon: Demote heap size and AlwaysPreTouch warnings to info level (P4) JDK-8346688: GenShen: Missing metadata trigger log message (P4) JDK-8346690: Shenandoah: Fix log message for end of GC usage report hotspot/jfr: (P3) JDK-8347496: Test jdk/jfr/jvm/TestModularImage.java fails after JDK-8347124: No javac hotspot/jvmti: (P4) JDK-8346082: Output JVMTI agent information in hserr files hotspot/runtime: (P3) JDK-8347129: cpuset cgroups controller is required for no good reason (P3) JDK-8290043: serviceability/attach/ConcAttachTest.java failed "guarantee(!CheckJNICalls) failed: Attached JNI thread exited without being detached" (P4) JDK-8345959: Make JVM_IsStaticallyLinked JVM_LEAF infrastructure: (P4) JDK-8346014: Bump version numbers for 24.0.1 security-libs/java.security: (P3) JDK-8347506: Compatible OCSP readtimeout property with OCSP timeout (P3) JDK-8344361: Restore null return for invalid services from legacy providers (P4) JDK-8347424: Fix and rewrite sun/security/x509/DNSName/LeadingPeriod.java test security-libs/javax.net.ssl: (P3) JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs (P4) JDK-8339356: Test javax/net/ssl/SSLSocket/Tls13PacketSize.java failed with java.net.SocketException: An established connection was aborted by the software in your host machine tools/javac: (P3) JDK-8349058: 'internal proprietary API' warnings make javac warnings unusable tools/jlink: (P4) JDK-8347124: Clean tests with --enable-linkable-runtime (P4) JDK-8346239: Improve memory efficiency of JimageDiffGenerator (P4) JDK-8347334: JimageDiffGenerator code clean-ups tools/jpackage: (P4) JDK-8347299: Add annotations to test cases in LicenseTest