RELEASE NOTES: JDK openjdk8u272

Notes generated: Mon Jun 03 18:06:54 CEST 2024





Issue Description

Oracle Specific JDK Update of System Property to Fall Back to Legacy Base64 Encoding Format

Oracle JDK 8u231 has upgraded the Apache Santuario libraries to v2.1.3. This upgrade introduced an issue in which XML signatures using Base64 encoding appended &#xd or &#13 to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.

Oracle JDK 8u221 using the legacy encoder returns encoded data in a format without &#xd or &#13.

Therefore an Oracle specific JDK 8 Update of a new system property has been made available to fall back to legacy Base64 encoded format.

Users can set this flag in one of two ways:

  2. System.setProperty("", "true")

This new system property is disabled by default. It has no effect on default behavior or when the property is set.

Later JDK family versions will only support the recommended property:

JDK-8217878 System Property

An Apache Santuario library version upgrade, used by the javax.xml.crypto.* packages, introduces a behavioral change where a new Base64 encoder uses "\r\n" as end-of-line terminator. By default, XML signatures signed using API calls form the javax.xml.crypto.dsig package includes the escaped '\r' character, encoded as " " or " ".

A new system property may be set to a value of "true" if an application is unable to handle the encoded output data changes where " " or " " get appended to new lines in encoding operations. The effect of this property is to not include the carriage return character in base64-encoded fields in XML signature generated by calls to the javax.xml.crypto.* packages.

Additional information can be found at


Updated xmldsig Implementation to Apache Santuario 2.1.1

The XMLDSig provider implementation in the java.xml.crypto module has been updated to version 2.1.1 of Apache Santuario. New features include: 1. Support for the SHA-224 and SHA-3 DigestMethod algorithms specified in RFC 6931. 2. Support for the HMAC-SHA224, RSA-SHA224, ECDSA-SHA224, and RSASSA-PSS family of SignatureMethod algorithms specified in RFC 6931.


Issue Description

Support for canonicalize in krb5.conf

The 'canonicalize' flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested.

The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the system or security properties).


Issue Description

supported_groups Extension Should Not be Present in ServerHello Handshake Message

While the supported_groups extension should not be present in ServerHello handshake messages, previous releases have ignored its presence, so that misconfigured servers could continue to function. JDK 11 currently throws an exception if this extension is sent in the ServerHello handshake message.


Increase the priorities of GCM cipher suites

In TLS, a ciphersuite defines a specific set of cryptography algorithms used in a TLS connection. JSSE maintains a prioritized list of ciphersuites. In this update, GCM-based cipher suites are configured as the most preferable default cipher suites in the SunJSSE provider.

In the SunJSSE provider, the following ciphersuites are now the most preferred by default: ``` TLSECDHEECDSAWITHAES256GCMSHA384 TLSECDHEECDSAWITHAES128GCMSHA256


TLSECDHERSAWITHAES128GCMSHA256 TLSRSAWITHAES128GCMSHA256 TLSECDHECDSAWITHAES128GCMSHA256 TLSECDHRSAWITHAES128GCMSHA256 TLSDHERSAWITHAES128GCMSHA256 TLSDHEDSSWITHAES128GCM_SHA256 ``` Note that this is a behavior change of the SunJSSE provider in the JDK, it is not guaranteed to be examined and used by other JSSE providers. There is no guarantee the cipher suites priorities will remain the same in future updates or releases.


Issue Description

SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40

The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.


Issue Description

Added 3 SSL Corporation Root CA Certificates

The following root certificates have been added to the cacerts truststore: ``` + SSL Corporation + sslrootrsaca DN: Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US

  • sslrootevrsaca DN: EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US

  • sslrooteccca DN: Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US ```


Added Entrust Root Certification Authority - G4 certificate

The following root certificate has been added to the cacerts truststore: ` + Entrust + entrustrootcag4 DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See, O="Entrust, Inc.", C=US `


Issue Description

OperatingSystemMXBean Methods Inside a Container Return Container Specific Data

When executing in a container, or other virtualized operating environment, the following OperatingSystemMXBean methods in this release return container specific information, if available. Otherwise, they return host specific data:

  • getFreePhysicalMemorySize()
  • getTotalPhysicalMemorySize()
  • getFreeSwapSpaceSize()
  • getTotalSwapSpaceSize()
  • getSystemCpuLoad()



Priority Bug Summary
P2 JDK-8244818 [macos] Java2D Queue Flusher crash while moving application window to external monitor
P2 JDK-8233097 Fontmetrics for large Fonts has zero width
P3 JDK-8145808 [PIT] test java/awt/Graphics2D/MTGraphicsAccessTest/ hangs on Win. 8
P3 JDK-8209113 Use WeakReference for lastFontStrike for created Fonts
P4 JDK-8177628 Opensource unit/regression tests for ImageIO


Priority Bug Summary
P2 JDK-8242498 Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash
P3 JDK-8200313 java/awt/Gtk/GtkVersionTest/ fails
P4 JDK-8137087 [TEST_BUG] Cygwin failure of java/awt/appletviewer/IOExceptionIfEncodedURLTest/
P4 JDK-8039082 [TEST_BUG] Test java/awt/dnd/BadSerializationTest/ fails
P4 JDK-8132376 Add @requires to the client tests with access to internal OS-specific API
P4 JDK-8239819 XToolkit: Misread of screen information memory


Priority Bug Summary
P4 JDK-8183341 Better cleanup for javax/imageio/
P4 JDK-8250755 Better cleanup for jdk/test/javax/imageio/plugins/shared/
P4 JDK-8183349 Better cleanup for jdk/test/javax/imageio/plugins/shared/ and
P4 JDK-8183351 Better cleanup for jdk/test/javax/imageio/spi/AppletContextTest/


Priority Bug Summary
P3 JDK-8156169 Some sound tests rarely hangs because of incorrect synchronization
P4 JDK-8167615 Opensource unit/regression tests for JavaSound
P4 JDK-6574989 TEST_BUG: javax/sound/sampled/Clip/ fails sometimes


Priority Bug Summary
P4 JDK-8172012 [TEST_BUG] delays needed in javax/swing/JTree/4633594/
P4 JDK-8198004 javax/swing/JFileChooser/6868611/ throws error
P4 JDK-8226697 Several tests which need the @key headful keyword are missing it.


Priority Bug Summary
P3 JDK-8078334 Mark regression tests using randomness
P4 JDK-8238380 java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10
P4 JDK-8250627 Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics


Priority Bug Summary
P4 JDK-8211163 UNIX version of Java_java_io_Console_echo does not return a clean boolean


Priority Bug Summary
P4 JDK-8226809 Circular reference in printed stack trace is not correctly indented & ambiguous
P4 JDK-8168517 java/lang/ProcessBuilder/ failed with "java.lang.AssertionError: Some tests failed"


Priority Bug Summary
P5 JDK-8026236 Add PrimeTest for BigInteger


Priority Bug Summary
P3 JDK-8251546 8u backport of JDK-8194298 breaks AIX and Solaris builds
P3 JDK-8194298 Add support for per Socket configuration of TCP keepalive
P3 JDK-8210147 adjust some WSAGetLastError usages in windows network coding
P3 JDK-8151788 NullPointerException from ntlm.Client.type3
P4 JDK-8238386 (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10
P5 JDK-8036088 Replace strtok() with its safe equivalent strtok_s() in DefaultProxySelector.c


Priority Bug Summary
P4 JDK-8075774 Small readability and performance improvements for zipfs


Priority Bug Summary
P4 JDK-8231213 Migrate SimpleDateFormatConstTest to JDK Repo


Priority Bug Summary
P1 JDK-8166148 Fix for JDK-8165936 broke Solaris builds
P4 JDK-8132745 TEST_BUG: minor cleanup of java/util/Scanner/


Priority Bug Summary
P4 JDK-8132206 move into OpenJDK


Priority Bug Summary
P3 JDK-8152077 (cal) Calendar.roll does not always roll the hours during daylight savings changes
P3 JDK-8165936 Potential Heap buffer overflow when seaching timezone info files


Priority Bug Summary
P2 JDK-8151678 com/sun/jndi/ldap/ failed due to timeout on DeadServerNoTimeoutTest is incorrect
P2 JDK-8217606 LdapContext#reconnect always opens a new connection
P4 JDK-8160768 Add capability to custom resolve host/domain names within the default JNDI LDAP provider
P4 JDK-8243138 Enhance BaseLdapServer to support starttls extended request
P4 JDK-8062947 Fix exception message to correctly represent LDAP connection failure


Priority Bug Summary
P3 JDK-8193137 Nashorn crashes when given an empty script file.


Priority Bug Summary
P3 JDK-8203357 Container Metrics


Priority Bug Summary
P3 JDK-8230303 JDB hangs when running monitor command
P4 JDK-8229378 jdwp library loader in linker_md.c quietly truncates on buffer overflow


Priority Bug Summary
P2 JDK-8192953 sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied
P3 JDK-8061616 HotspotDiagnosticMXBean.getVMOption() throws IllegalArgumentException for flags of type double
P3 JDK-8226575 OperatingSystemMXBean should be made container aware
P5 JDK-8025886 replace [[ and == bash extensions in regtest


Priority Bug Summary
P4 JDK-8254937 Revert JDK-8148854 for 8u272


Priority Bug Summary
P1 JDK-8148754 C2 loop unrolling fails due to unexpected graph shape
P2 JDK-8252573 8u: Windows build failed after 8222079 backport
P3 JDK-8214862 assert(proj != __null) at compile.cpp:3251
P3 JDK-8234617 C1: Incorrect result of field load due to missing narrowing conversion
P3 JDK-8230711 ConnectionGraph::unique_java_object(Node* N) return NULL if n is not in the CG
P3 JDK-8240676 Meet not symmetric failure when running lucene on jdk8
P4 JDK-8237951 CTW: C2 compilation fails with "malformed control flow"
P4 JDK-8222079 Don't use memset to initialize fields decode_env constructor in disassembler.cpp
P4 JDK-8219919 RuntimeStub's name lost with PrintFrameConverterAssembly
P4 JDK-8167300 Scheduling failures during gcm should be fatal


Priority Bug Summary
P2 JDK-8248851 CMS: Missing memory fences between free chunk check and klass read
P3 JDK-8231779 crash HeapWord*ParallelScavengeHeap::failed_mem_allocate
P3 JDK-8057003 Large reference arrays cause extremely long synchronization times
P4 JDK-8153583 Make OutputAnalyzer.reportDiagnosticSummary public


Priority Bug Summary
P3 JDK-8216283 Allow shorter method sampling interval than 10 ms
P3 JDK-8221569 JFR tool produces incorrect output when both --categories and --events are specified
P3 JDK-8217647 JFR: recordings on 32-bit systems unreadable
P3 JDK-8224217 RecordingInfo should use textual representation of path
P4 JDK-8246310 Clean commented-out code about ModuleEntry andPackageEntry in JFR
P4 JDK-8246384 Enable JFR by default on supported architectures for October 2020 release
P4 JDK-8219566 JFR did not collect call stacks when MaxJavaStackTraceDepth is set to zero
P4 JDK-8220555 JFR tool shows potentially misleading message when it cannot access a file
P4 JDK-8252084 Minimal VM fails to bootcycle: undefined symbol: AgeTableTracer::is_tenuring_distribution_event_enabled
P4 JDK-8243489 Thread CPU Load event may contain wrong data for CPU time under certain conditions


Priority Bug Summary
P3 JDK-8254673 call for JvmtiExport::post_vm_start() was removed by the fix for JDK-8249158
P3 JDK-8035493 JVMTI PopFrame capability must instruct compilers not to prune locals
P4 JDK-8249158 THREAD_START and THREAD_END event posted in primordial phase


Priority Bug Summary
P2 JDK-8235325 build failure on Linux after 8235243
P2 JDK-8060721 Test runtime/SharedArchiveFile/ fails in jdk 9 fcs new platforms/compiler
P3 JDK-8148854 Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent
P3 JDK-8064319 Need to enable -XX:+TraceExceptions in release builds
P4 JDK-8048933 -XX:+TraceExceptions output should include the message
P4 JDK-8023697 failed class resolution reports different class name in detail message for the first and subsequent times
P4 JDK-8235243 handle VS2017 15.9 and VS2019 in abstract_vm_version
P4 JDK-8240295 hs_err elapsed time in seconds is not accurate enough
P4 JDK-8250875 Incorrect parameter type for update_number in JDK_Version::jdk_update
P4 JDK-8211714 Need to update vm_version.cpp to recognise VS2017 minor versions
P4 JDK-8248643 Remove extra leading space in JDK-8240295 8u backport
P4 JDK-8193234 When using -Xcheck:jni an internally allocated buffer can leak
P4 JDK-8184762 ZapStackSegments should use optimized memset


Priority Bug Summary
P2 JDK-8235687 Contents/MacOS/libjli.dylib cannot be a symlink
P3 JDK-8238225 Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary
P4 JDK-8251120 [8u] HotSpot build assumes ENABLE_JFR is set to either true or false
P4 JDK-8154313 Generated javadoc scattered all over the place


Priority Bug Summary
P4 JDK-8245474 Add TLS_KRB5 cipher suites support according to RFC-2712
P4 JDK-8245468 Add TLSv1.3 implementation classes from 11.0.7
P4 JDK-8245477 Adjust TLS tests location
P4 JDK-8245472 Backport JDK-8038893 to JDK8
P4 JDK-8251478 Backport TLSv1.3 regression tests to JDK8u
P4 JDK-8245476 Disable TLSv1.3 protocol in the ClientHello message by default
P4 JDK-8245470 Fix JDK8 compatibility issues
P4 JDK-8245473 OCSP stapling support
P4 JDK-8245467 Remove 8u TLSv1.2 implementation files
P4 JDK-8245469 Remove DTLS protocol implementation
P4 JDK-8245471 Revert JDK-8148188


Priority Bug Summary
P3 JDK-8243321 Add Entrust root CA - G4 to Oracle Root CA program
P3 JDK-8243320 Add SSL root certificates to Oracle Root CA program
P3 JDK-8242556 Cannot load RSASSA-PSS public key with non-null params from byte array
P3 JDK-8211049 Second parameter of "initialize" method is not used
P4 JDK-8238388 libj2gss/NativeFunc.o "multiple definition" link errors with GCC10
P4 JDK-8165996 PKCS11 using NSS throws an error regarding secmod.db when NSS uses sqlite
P4 JDK-8161973 PKIXRevocationChecker.getSoftFailExceptions() not working
P4 JDK-8151834 Test times out intermittently


Priority Bug Summary
P2 JDK-8220165 Encryption using GCM results in RuntimeException: input length out of bound
P2 JDK-8233954 UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
P3 JDK-8078880 Mark a few more intermittently failing security-libs tests
P3 JDK-8201633 Problems with AES-GCM native acceleration


Priority Bug Summary
P1 JDK-8225695 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support)
P2 JDK-8238898 Missing hash characters for header on license file
P3 JDK-8228835 Memory leak in PKCS11 provider when using AES GCM
P3 JDK-8165275 Replace the reflective call to the implUpdate method in HandshakeMessage::digestKey
P3 JDK-8144539 Update PKCS11 tests to run with security manager
P3 JDK-8080462 Update SunPKCS11 provider with PKCS11 v2.40 support
P4 JDK-8251117 Cannot check P11Key size in P11Cipher and P11AEADCipher


Priority Bug Summary
P1 JDK-8207317 SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy
P2 JDK-8206929 Check session context for TLS 1.3 session resumption
P2 JDK-8236039 JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
P2 JDK-8209916 NPE in SupportedGroupsExtension
P2 JDK-8206176 Remove the temporary tls13VN field
P2 JDK-8214129 SSL session resumption/SNI with TLS1.2 causes StackOverflowError
P2 JDK-8145854 SSLContextImpl.statusResponseManager should be generated if required
P2 JDK-8206355 SSLSessionImpl.getLocalPrincipal() throws NPE
P2 JDK-8216326 SSLSocket stream close() does not close the associated socket
P2 JDK-8207237 SSLSocket#setEnabledCipherSuites is accepting empty string
P2 JDK-8208166 Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029
P2 JDK-8214098 constructor check backwards.
P2 JDK-8216045 The size of key_exchange may be wrong on FFDHE
P2 JDK-8207009 TLS 1.3 half-close and synchronization issues
P2 JDK-8211806 TLS 1.3 handshake server name indication is missing on a session resume
P2 JDK-8196584 TLS 1.3 Implementation
P2 JDK-8210334 TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes
P2 JDK-8210846 TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
P2 JDK-8207029 Unable to use custom SSLEngine with default TrustManagerFactory after updating to JDK 11 b21
P3 JDK-8245681 Add TLSv1.3 regression test from 11.0.7
P3 JDK-8207058 Backport System Property jdk.tls.server.protocols
P3 JDK-8245466 Backport TLSv1.3 protocol implementation
P3 JDK-8225766 Curve in certificate should not affect signature scheme when using TLSv1.3
P3 JDK-8219389 Delegated task created by SSLEngine throws BufferUnderflowException
P3 JDK-8215790 Delegated task created by SSLEngine throws java.nio.BufferUnderflowException
P3 JDK-8221270 Duplicated synchronized keywords in SSLSocketImpl
P3 JDK-8215524 Finished message validation failure should be decrypt_error alert
P3 JDK-8218889 Improperly use of the Optional API
P3 JDK-8212738 Incorrectly named signature scheme ecdsa_secp512r1_sha512
P3 JDK-8028518 Increase the priorities of GCM cipher suites
P3 JDK-8203687 javax/net/ssl/compatibility/ supports TLS 1.3
P3 JDK-8231810 javax/net/ssl/templates/ fails intermittently with "java.lang.Exception: Unexpected EOF"
P3 JDK-8233621 Mismatch in jsse.enableMFLNExtension property name
P3 JDK-8210974 No extensions debug log for ClientHello
P3 JDK-8213782 NullPointerException in
P3 JDK-8213202 Possible race condition in TLS 1.3 session resumption
P3 JDK-8210989 RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2
P3 JDK-8207223 SSL Handshake failures are reported with more generic SSLException
P3 JDK-8214339 SSLSocketImpl erroneously wraps SocketException
P3 JDK-8209965 The "supported_groups" extension in ServerHellos
P3 JDK-8211866 TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
P3 JDK-8212885 TLS 1.3 resumed session does not retain peer certificate chain
P3 JDK-8214688 TLS 1.3 session resumption with hello retry request failed with "illegal_parameter"
P3 JDK-8217610 TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
P3 JDK-8221253 TLSv1.3 may generate TLSInnerPlainText longer than 2^14+1 bytes
P4 JDK-4919790 Errors in alert ssl message does not reflect the actual certificate status
P4 JDK-8234724 javax/net/ssl/templates/ supports TLSv1.3
P4 JDK-8234723 javax/net/ssl/TLS tests support TLSv1.3
P4 JDK-8251341 Minimal Java specification change
P4 JDK-8214321 Misleading code in SSLCipher
P4 JDK-8245653 Remove 8u TLS tests
P4 JDK-8223482 Unsupported ciphersuites may be offered by a TLS client


Priority Bug Summary
P3 JDK-8239385 Support the 'canonicalize' setting (krb5.conf) in the Kerberos client
P4 JDK-8249610 Make keys) method public


Priority Bug Summary
P3 JDK-8163251 Hard coded loop limit prevents reading of smart card data greater than 8k
P4 JDK-8244151 Update MUSCLE PC/SC-Lite headers to1.8.26


Priority Bug Summary
P2 JDK-8217878 ENVELOPING XML signature no longer works
P3 JDK-8236645 JDK 8u231 introduces a regression with incompatible handling of XML messages
P3 JDK-8177334 Update xmldsig implementation to Apache Santuario 2.1.1
P3 JDK-8218629 XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10


Priority Bug Summary
P4 JDK-8241888 Mirror system property with a security one


Priority Bug Summary
P3 JDK-8246193 Possible NPE in ENC-PA-REP search in AS-REQ


Priority Bug Summary
P2 JDK-8031625 javadoc problems referencing inner class constructors


Priority Bug Summary
P3 JDK-8169925 Organize licenses by module in source, JMOD file, and run-time image


Priority Bug Summary
P3 JDK-8046274 Removing dependency on jakarta-regexp