RELEASE NOTES: JDK 8u141

Notes generated: Fri Nov 01 20:24:10 CET 2024

JEPs

None.

RELEASE NOTES

security-libs/javax.net.ssl

Issue	Description
JDK-8144566	Custom HostnameVerifier enables SNI extension Earlier releases of JDK 8 Updates didn't always send the Server Name Indication (SNI) extension in the TLS ClientHello phase if a custom hostname verifier was used. This verifier is set via the setHostnameVerifier(HostnameVerifier v) method in HttpsURLConnection. The fix ensures the Server Name is now sent in the ClientHello body. See JDK-8144566 for more details.

Issue

Description

JDK-8144566

Custom HostnameVerifier enables SNI extension

Earlier releases of JDK 8 Updates didn't always send the Server Name Indication (SNI) extension in the TLS ClientHello phase if a custom hostname verifier was used. This verifier is set via the setHostnameVerifier(HostnameVerifier v) method in HttpsURLConnection. The fix ensures the Server Name is now sent in the ClientHello body. See JDK-8144566 for more details.

security-libs/java.security

Issue Description

Issue	Description
JDK-8176536	Disable SHA-1 TLS Server Certificates Any TLS server certificate chain containing a SHA-1 certificate (end-entity or intermediate CA) and anchored by a root CA certificate included by default in Oracle's JDK is now blocked by default. TLS Server certificate chains that are anchored by enterprise or private CAs are not affected. Only X.509 certificate chains that are validated by the `PKIX` implementation of the `CertPathValidator` and `CertPathBuilder` APIs and the `SunX509` and `PKIX` implementations of the `TrustManagerFactory` API are subject to the restrictions. Third-party implementations of these APIs are directly responsible for enforcing their own restrictions. To implement this restriction and provide more flexibility for configuring your own restrictions, additional features have been added to the `jdk.certpath.disabledAlgorithms` and `jdk.jar.disabledAlgorithms` Security Properties in the java.security file, as follows: `jdk.certpath.disabledAlgorithms`: Three new constraints have been added to this Security Property: A new constraint named `jdkCA`, that when set, restricts the algorithm if it is used in a certificate chain that is anchored by a trust anchor that is pre-installed in the JDK cacerts keystore. This condition does not apply to certificate chains that are anchored by other certificates, including those that are subsequently added to the cacerts keystore. Also, note that the restriction does not apply to trust anchor certificates, since they are directly trusted. A new constraint named `denyAfter`, that when set, restricts the algorithm if it is used in a certificate chain after the specified date. The restriction does not apply to trust anchor certificates, since they are directly trusted. Also, code signing certificate chains as used in signed JARs are treated specially as follows: if the certificate chain is used with a signed JAR that is not timestamped, it will be restricted after the specified date if the certificate chain is used with a signed JAR that is timestamped, it will not be restricted if it is timestamped before the specified date. If the JAR is timestamped after the specified date, it will be restricted. A new constraint named `usage`, that when set, restricts the algorithm if it is used in a certificate chain for the specified use(s). Three usages are initially supported: `TLSServer` for TLS/SSL server certificate chains, `TLSClient` for TLS/SSL client certificate chains, and `SignedJAR` for certificate chains used with signed JARs. Multiple constraints can be combined to constrain an algorithm when delimited by '&'. For example, to disable SHA-1 TLS Server certificate chains that are anchored by pre-installed root CAs, the constraint is "SHA1 jdkCA & usage TLSServer". `jdk.jar.disabledAlgorithms`: A new constraint has been added named `denyAfter`, that when set, restricts the algorithm if it is used in a signed JAR after the specified date, as follows: if the JAR is not timestamped, it will be restricted (treated as unsigned) after the specified date if the JAR is timestamped, it will not be restricted if it is timestamped before the specified date. If the JAR is timestamped after the specified date, it will be restricted. For example, to restrict SHA1 in JAR files signed after January 1st 2018, add the following to the property: "SHA1 denyAfter 2018-01-01". The syntax is the same as the certpath property, however certificate checking will not be performed by this property.

JDK-8176536

Disable SHA-1 TLS Server Certificates

Any TLS server certificate chain containing a SHA-1 certificate (end-entity or intermediate CA) and anchored by a root CA certificate included by default in Oracle's JDK is now blocked by default. TLS Server certificate chains that are anchored by enterprise or private CAs are not affected. Only X.509 certificate chains that are validated by the PKIX implementation of the CertPathValidator and CertPathBuilder APIs and the SunX509 and PKIX implementations of the TrustManagerFactory API are subject to the restrictions. Third-party implementations of these APIs are directly responsible for enforcing their own restrictions.

To implement this restriction and provide more flexibility for configuring your own restrictions, additional features have been added to the jdk.certpath.disabledAlgorithms and jdk.jar.disabledAlgorithms Security Properties in the java.security file, as follows:

jdk.certpath.disabledAlgorithms:

Three new constraints have been added to this Security Property:

A new constraint named jdkCA, that when set, restricts the algorithm if it is used in a certificate chain that is anchored by a trust anchor that is pre-installed in the JDK cacerts keystore. This condition does not apply to certificate chains that are anchored by other certificates, including those that are subsequently added to the cacerts keystore. Also, note that the restriction does not apply to trust anchor certificates, since they are directly trusted.

A new constraint named denyAfter, that when set, restricts the algorithm if it is used in a certificate chain after the specified date. The restriction does not apply to trust anchor certificates, since they are directly trusted. Also, code signing certificate chains as used in signed JARs are treated specially as follows:
if the certificate chain is used with a signed JAR that is not timestamped, it will be restricted after the specified date
if the certificate chain is used with a signed JAR that is timestamped, it will not be restricted if it is timestamped before the specified date. If the JAR is timestamped after the specified date, it will be restricted.

A new constraint named usage, that when set, restricts the algorithm if it is used in a certificate chain for the specified use(s). Three usages are initially supported: TLSServer for TLS/SSL server certificate chains, TLSClient for TLS/SSL client certificate chains, and SignedJAR for certificate chains used with signed JARs.

Multiple constraints can be combined to constrain an algorithm when delimited by '&'. For example, to disable SHA-1 TLS Server certificate chains that are anchored by pre-installed root CAs, the constraint is "SHA1 jdkCA & usage TLSServer".

jdk.jar.disabledAlgorithms:

A new constraint has been added named denyAfter, that when set, restricts the algorithm if it is used in a signed JAR after the specified date, as follows:
if the JAR is not timestamped, it will be restricted (treated as unsigned) after the specified date
if the JAR is timestamped, it will not be restricted if it is timestamped before the specified date. If the JAR is timestamped after the specified date, it will be restricted.

For example, to restrict SHA1 in JAR files signed after January 1st 2018, add the following to the property: "SHA1 denyAfter 2018-01-01". The syntax is the same as the certpath property, however certificate checking will not be performed by this property.

FIXED ISSUES

client-libs/java.awt

Priority	Bug	Summary
P2	JDK-8179014	JFileChooser with Windows look and feel crashes on win 10

client-libs/javax.swing

Priority	Bug	Summary
P2	JDK-8178996	[macos] JComboBox doesn't display popup in mixed JavaFX Swing Application on 8u131 and Mac OS 10.12

core-libs/java.lang:reflect

Priority	Bug	Summary
P4	JDK-8174729	Race Condition in java.lang.reflect.WeakCache

core-libs/java.nio

Priority	Bug	Summary
P4	JDK-8165231	java.nio.Bits.unaligned() doesn't return true on ppc

core-libs/java.rmi

Priority	Bug	Summary
P2	JDK-8180582	After updating to Java8u131, the bind to rmiregistry is rejected by registryFilter even though registryFilter is set

core-svc/java.lang.management

Priority	Bug	Summary
P2	JDK-8139870	sun.management.LazyCompositeData.isTypeMatched() fails for composite types with items of ArrayType

hotspot/compiler

Priority	Bug	Summary
P3	JDK-8174164	SafePointNode::_replaced_nodes breaks with irreducible loops

hotspot/svc

Priority	Bug	Summary
P3	JDK-8178536	OOM ERRORS + SERVICE-THREAD TAKES A PROCESSOR TO 100%

javafx/web

Priority	Bug	Summary
P2	JDK-8179321	WebEngine.getDocument().getDocumentURI() no longer returns null for loading a String of HTML

security-libs/java.security

Priority	Bug	Summary
P2	JDK-8176536	Improved algorithm constraints checking
P3	JDK-8165367	Additional tests for JEP 288: Disable SHA-1 Certificates

security-libs/javax.net.ssl

Priority	Bug	Summary
P3	JDK-8144566	Custom HostnameVerifier disables SNI extension
P3	JDK-8155049	New tests from 8144566 fail with "No expected Server Name Indication"

tools

Priority	Bug	Summary
P3	JDK-8176329	jdeps to detect MR jar file and output a warning