RELEASE NOTES: JDK openjdk8u222

Default SSL Session Cache Size Updated to 20480

The default SSL session cache size has been updated to 20480 in this JDK release

os::set_native_thread_name() cleanups

On platforms that support the concept of a thread name on their native threads, the java.lang.Thread.setName() method will also set that native thread name. However, this will only occur when called by the current thread, and only for threads started through the java.lang.Thread class (not for native threads that have attached via JNI). The presence of a native thread name can be useful for debugging and monitoring purposes. Some platforms may limit the native thread name to a length much shorter than that used by the java.lang.Thread, which may result in some threads having the same native name.

GTK+ 3.20 and Later Unsupported by Swing

Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release. Affected applications on such configurations should specify the system property -Djdk.gtk.version=2.2 to request GTK2+ based rendering instead.

GTK+ 3.20 and Later Unsupported by Swing

Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release.

GTK+ 3.20 and Later Unsupported by Swing

Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release. Affected applications on such configurations should specify the system property -Djdk.gtk.version=2.2 to request GTK2+ based rendering instead.

GTK+ 3.20 and Later Unsupported by Swing

Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release. Affected applications on such configurations should specify the system property -Djdk.gtk.version=2.2 to request GTK2+ based rendering instead.

GTK+ 3.20 and Later Unsupported by Swing

Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release. Affected applications on such configurations should specify the system property -Djdk.gtk.version=2.2 to request GTK2+ based rendering instead.

GTK+ 3.20 and Later Unsupported by Swing

Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release. Affected applications on such configurations should specify the system property -Djdk.gtk.version=2.2 to request GTK2+ based rendering instead.

GTK+ 3.20 and Later Unsupported by Swing

Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release. Affected applications on such configurations should specify the system property -Djdk.gtk.version=2.2 to request GTK2+ based rendering instead.

Added Google Trust Services GlobalSign Root Certificates

The following root certificates have been added to the OpenJDK cacerts truststore: + Google + globalsigneccrootcar4

DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4

• globalsignr2ca

  DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2

Added T-Systems, GlobalSign and Starfield Services Root Certificates

The following root certificates have been added to the OpenJDK cacerts truststore: + T-Systems + deutschetelekomrootca2

DN: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE

• ttelesecglobalrootclass3ca

  DN: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE

• ttelesecglobalrootclass2ca DN: CN=T-TeleSec GlobalRoot Class 2, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE

• Amazon

• starfieldservicesrootg2ca

  DN: CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US

• GlobalSign

• globalsignca

  DN: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE

• globalsignr3ca

  DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3

• globalsigneccrootcar5

  DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5

Added GoDaddy Root Certificates

The following root certificates have been added to the OpenJDK cacerts truststore: + GoDaddy + godaddyrootg2ca

DN: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., 
       CN=Go Daddy Root Certificate Authority - G2

• godaddyclass2ca

  DN: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority

• starfieldclass2ca

  DN: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority

• starfieldrootg2ca

  DN: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2

Added Additional TeliaSonera Root Certificate

The following root certificate have been added to the OpenJDK cacerts truststore: + TeliaSonera + teliasonerarootcav1

DN: CN=TeliaSonera Root CA v1, O=TeliaSonera

Removal of Two Comodo Root CA Certificates

Two Comodo root CA certificates have expired and were removed from the cacerts keystore: + alias name "utnuserfirstclientauthemailca [jdk]"

Distinguished Name: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

• alias name "utnuserfirsthardwareca [jdk]"

  Distinguished Name: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

Removal of Two DocuSign Root CA Certificates

Two DocuSign root CA certificates have expired and were removed from the cacerts keystore: + alias name "certplusclass2primaryca [jdk]"

Distinguished Name: CN=Class 2 Primary CA, O=Certplus, C=FR

• alias name "certplusclass3pprimaryca [jdk]"

  Distinguished Name: CN=Class 3P Primary CA, O=Certplus, C=FR

Removal of GTE CyberTrust Global Root

The GTE CyberTrust Global Root certificate is expired and has been removed from the cacerts keystore: + alias name "gtecybertrustglobalca [jdk]"

Distinguished Name: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US

JEP 319 Root Certificates

Provides a default set of root Certification Authority (CA) certificates in the JDK.

The cacerts keystore of the OpenJDK 9 binary for Linux x64 has been populated by JEP 319: Root Certificates [1] with a set of root certificates issued by the CAs of Oracle's Java SE Root CA Program. This addresses the problem of the empty cacerts keystore in the OpenJDK 9 binary for Linux x64. The empty cacerts keystore had prevented TLS connections from being established because Trusted Root Certificate Authorities were not installed. As a workaround for OpenJDK 9 binaries, users had to set the javax.net.ssl.trustStore System Property to use a different keystore.

[1] https://bugs.java.com/viewbug.do?bugid=JDK-8191486

TLS does not work by default on OpenJDK 9

The OpenJDK 9 binary for Linux x64 contains an empty `cacerts` keystore. This prevents TLS connections from being established because there are no Trusted Root Certificate Authorities installed. You may see an exception like the following: 

javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

As a workaround, users can set the javax.net.ssl.trustStore System Property to use a different keystore. For example, the ca-certificates package on Oracle Linux 7 contains the set of Root CA certificates chosen by the Mozilla Foundation for use with the Internet PKI. This package installs a trust store at /etc/pki/java/cacerts, which can be used by OpenJDK 9.

Only the OpenJDK 64 bit Linux download is impacted. This issue does not apply to any Oracle JRE/JDK download.

Progress on open-sourcing the Oracle JDK Root CAs can be tracked through the issue JDK-8189131.

Added GlobalSign R6 Root Certificate

The following root certificate has been added to the cacerts truststore: ``` + GlobalSign + globalsignrootcar6

DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6

```

Removal of T-Systems Deutsche Telekom Root CA 2 Certificate

The T-Systems Deutsche Telekom Root CA 2 certificate has expired and was removed from the cacerts keystore: + alias name "deutschetelekomrootca2 [jdk]"

Distinguished Name: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE

Added Entrust Root Certificates

The following root certificates have been added to the OpenJDK cacerts truststore: + Entrust + entrustrootcaec1

DN: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, 
       OU=(c) 2012 Entrust, Inc. - for authorized use only,
       CN=Entrust Root Certification Authority - EC1

• entrust2048ca

  DN: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)

• entrustrootcag2

  DN: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2

• entrustevca

  DN: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority

• affirmtrustnetworkingca

  DN: C=US, O=AffirmTrust, CN=AffirmTrust Networking

• affirmtrustpremiumca

  DN: C=US, O=AffirmTrust, CN=AffirmTrust Premium

• affirmtrustcommercialca

  DN: C=US, O=AffirmTrust, CN=AffirmTrust Commercial

• affirmtrustpremiumeccca

  DN: C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC