RELEASE NOTES FOR: openjdk8u452 ==================================================================================================== Notes generated: Sun May 18 05:04:57 CEST 2025 Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry. JAVA ENHANCEMENT PROPOSALS (JEP): None. RELEASE NOTES: security-libs/javax.net.ssl: JDK-8346587: Distrust TLS Server Certificates Anchored by Camerfirma Root Certificates and Issued After April 15, 2025 The JDK will stop trusting TLS server certificates issued after April 15, 2025 and anchored by Camerfirma root certificates, in line with similar plans announced by Google, Mozilla, Apple, and Microsoft. TLS server certificates issued on or before April 15, 2025 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected. The restrictions are enforced in the JDK implementation (the `SunJSSE` Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after April 15, 2025. An application will receive an exception with a message indicating the trust anchor is not trusted, for example: ``` "TLS Server certificate issued after 2025-04-15 and anchored by a distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU" ``` The JDK can be configured to trust these certificates again by removing "CAMERFIRMA_TLS" from the `jdk.security.caDistrustPolicies` security property in the `java.security` configuration file. The restrictions are imposed on the following Camerfirma Root certificates included in the JDK:
Root Certificates distrusted after 2025-04-15
Distinguished Name SHA-256 Fingerprint
CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU

0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3
CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0
CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA
You can also use the `keytool` utility from the JDK to print out details of the certificate chain, as follows: keytool -v -list -alias -keystore If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server. security-libs/java.security: JDK-8309841: Jarsigner Should Print a Warning If an Entry Is Removed If an entry is removed from a signed JAR file, there is no mechanism to detect that it has been removed using the `JarFile` API, since the `getJarEntry` method returns `null` as if the entry had never existed. With this change, the `jarsigner -verify` command analyzes the signature files and if some sections do not have matching file entries, it prints out the following warning: "This JAR contains signed entries for files that do not exist". Users can further find out the names of these entries by adding the `-verbose` option to the command. core-libs/java.time: JDK-8339637: Support for Time Zone Database 2024b IANA Time Zone Database has been upgraded to 2024b. This version mainly includes changes to improve historical data for Mexico, Mongolia, and Portugal. It also changes one timestamp abbreviation, for the time zone 'MET'. Also Asia/Choibalsan is now an alias for Asia/Ulaanbaatar. The new tzdata changes also impact some legacy zone IDs. Mapping of EST/MST/HST in java.time.ZoneId.SHORT_IDS have changed from fixed offset zones to links to other existing time zones with 2024b. "EST" now links to "America/Panama", "HST" links to "Pacific/Honolulu" and "MST" links to "America/Phoenix". Parsing of the short zone names "EST", "MST", and "HST" is not affected by this change. Further details are available at JDK-8340138 JDK-8339637: Support for Time Zone Database 2024b IANA Time Zone Database has been upgraded to 2024b. This version mainly includes changes to improve historical data for Mexico, Mongolia, and Portugal. It also changes one timestamp abbreviation, for the time zone 'MET'. Also Asia/Choibalsan is now an alias for Asia/Ulaanbaatar. The new tzdata changes also impact some legacy time zone IDs. As per 2024b changes "EST" links to "America/Panama", "HST" links to "Pacific/Honolulu" and "MST" links to "America/Phoenix". To maintain compatibility with the Java SE specification, the `java.time.ZoneId.SHORT_IDS` Map has not changed. Further details are available at JDK-8342331 ALL FIXED ISSUES, BY COMPONENT AND PRIORITY: client-libs/2d: (P4) JDK-8326110: [8u] The Marlin tests should be updated after JDK-8241307 client-libs/java.awt: (P4) JDK-8068305: [TEST_BUG] Test java/awt/Mixing/HWDisappear.java fails with GTKL&F core-libs/java.lang: (P3) JDK-8265019: Update tests for additional TestNG test permissions core-libs/java.time: (P3) JDK-8339637: (tz) Update Timezone Data to 2024b (P3) JDK-8347965: (tz) Update Timezone Data to 2025a (P4) JDK-8352097: (tz) zone.tab update missed in 2025a backport (P4) JDK-8350816: [8u] Update TzdbZoneRulesCompiler to ignore HST/EST/MST links (P4) JDK-8339644: Improve parsing of Day/Month in tzdata rules core-libs/java.util.jar: (P4) JDK-8240235: jdk.test.lib.util.JarUtils updates jar files incorrectly core-libs/java.util:i18n: (P2) JDK-8353433: XCG currency code not recognized in JDK 8u core-svc/debugger: (P4) JDK-8340660: [8u] Test com/sun/jdi/PrivateTransportTest.sh fails on MacOS core-svc/javax.management: (P4) JDK-8348211: [8u] sun/management/jmxremote/startstop/JMXStartStopTest.java fails after backport of JDK-8066708 hotspot/compiler: (P3) JDK-8255466: C2 crashes at ciObject::get_oop() const+0x0 (P3) JDK-8250825: C2 crashes with assert(field != __null) failed: missing field (P4) JDK-8349166: Bad indentation in backport of JDK-8250825 hotspot/jfr: (P4) JDK-8316193: jdk/jfr/event/oldobject/TestListenerLeak.java java.lang.Exception: Could not find leak (P4) JDK-8261020: Wrong format parameter in create_emergency_chunk_path infrastructure/build: (P5) JDK-8244966: Add .vscode to .hgignore and .gitignore (P5) JDK-8340552: Harden TzdbZoneRulesCompiler against missing zone names infrastructure/release_eng: (P4) JDK-8345504: Bump update version of OpenJDK: 8u452 security-libs/java.security: (P3) JDK-8309841: Jarsigner should print a warning if an entry is removed security-libs/javax.net.ssl: (P3) JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs (P3) JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch (P3) JDK-8227651: Tests fail with SSLProtocolException: Input record too big (P4) JDK-8266881: Enable debug log for SSLEngineExplorerMatchedSNI.java (P4) JDK-8339560: Unaddressed comments during code review of JDK-8337664 tools/jar: (P4) JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract (P5) JDK-8346140: [8u] tools/jar/ExtractFilesTest.java and tools/jar/MultipleManifestTest.java fails with jtreg5.1 tools/javac: (P3) JDK-8285756: clean up use of bad arguments for `@clean` in langtools tests xml: (P4) JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML