RELEASE NOTES: JDK openjdk8u492

Notes generated: Fri Apr 03 05:20:09 CEST 2026

JEPs

None.

RELEASE NOTES

security-libs/javax.net.ssl

Issue Description
JDK-8369282

Distrust TLS Server Certificates Anchored by Chunghwa Root Certificates and Issued After March 17, 2026


The JDK will stop trusting TLS server certificates issued after March 17, 2026 and anchored by Chunghwa root certificates, in line with similar plans announced by Google and Mozilla.

TLS server certificates issued on or before March 17, 2026 will continue to be trusted until they expire. Certificates issued after that date, and anchored by the Certificate Authority listed in the table below, will be rejected.

The restrictions are enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after March 17, 2026.

An application will receive an exception with a message indicating the trust anchor is not trusted, for example:

` "TLS Server certificate issued after 2026-03-17 and anchored by a distrusted legacy Chunghwa root CA: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd." C=TW" `

The JDK can be configured to trust these certificates again by removing "CHUNGHWA_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Chunghwa Root certificates included in the JDK:

Root Certificates distrusted after 2026-03-17
Distinguished Name SHA-256 Fingerprint
OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW

C0:A6:F4:DC:63:A2:4B:FD:CF:54:EF:2A:6A:08:2A:0A:72:DE:35:80:3E:2F:F5:FF:52:7A:E5:D8:72:06:DF:D5

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.

FIXED ISSUES

client-libs

Priority Bug Summary
P5 JDK-8274893 Update java.desktop classes to use try-with-resources

client-libs/2d

Priority Bug Summary
P3 JDK-8361748 Enforce limits on the size of an XBM image
P3 JDK-8373727 New XBM images parser regression: only the first line of the bitmap array is parsed
P3 JDK-8373290 Update FreeType to 2.14.1
P3 JDK-8379158 Update FreeType to 2.14.2

client-libs/java.awt

Priority Bug Summary
P3 JDK-8376352 [8u] Build failure on Windows 32-bit after JDK-8362308
P3 JDK-8312518 [macos13] setFullScreenWindow() shows black screen on macOS 13 & above
P3 JDK-8328999 Update GIFlib to 5.2.2
P3 JDK-8375063 Update Libpng to 1.6.54
P4 JDK-8376272 [8u] Windows x86-32 fails to build after JDK-8359501
P4 JDK-8225487 giflib legal file is missing attribution for openbsd-reallocarray.c.

core-libs/java.net

Priority Bug Summary
P3 JDK-8223145 Replace wildcard address with loopback or local host in tests - part 1
P3 JDK-8285836 sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server"
P4 JDK-8153147 Mark java/net/BindException/Test.java as intermittently failing

core-libs/java.nio

Priority Bug Summary
P4 JDK-8277159 Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points

core-libs/java.time

Priority Bug Summary
P3 JDK-8373476 (tz) Update Timezone Data to 2025c
P3 JDK-8379035 (tz) Update Timezone Data to 2026a

core-libs/javax.naming

Priority Bug Summary
P3 JDK-8237834 com/sun/jndi/ldap/LdapDnsProviderTest.java failing with LDAP response read timeout
P4 JDK-8251189 com/sun/jndi/ldap/LdapDnsProviderTest.java failed due to timeout

hotspot/compiler

Priority Bug Summary
P3 JDK-8170464 Remove shell script from compiler/c2/cr7005594/Test7005594.java

hotspot/gc

Priority Bug Summary
P3 JDK-8186149 quarantine gc/survivorAlignment/TestPromotionFromSurvivorToTenuredAfterMinorGC.java

hotspot/jfr

Priority Bug Summary
P3 JDK-8360869 jcstress is able to crash jdk8 on aarch64 with jfr on

hotspot/runtime

Priority Bug Summary
P3 JDK-8313770 jdk/internal/platform/docker/TestSystemMetrics.java fails on Ubuntu
P3 JDK-8174734 Safepoint sync time did not increase
P4 JDK-8284758 [linux] improve print_container_info
P4 JDK-8056039 Hotspot does not compile with clang 3.4 on Linux
P4 JDK-8287011 Improve container information
P4 JDK-8220658 Improve the readability of container information in the error log
P4 JDK-8264524 jdk/internal/platform/docker/TestDockerMemoryMetrics.java fails due to swapping not working

hotspot/test

Priority Bug Summary
P4 JDK-8377344 [8u] Compilation failure on Windows for Linux-specific platform metric tests
P4 JDK-8376338 Test7005594.sh fails when given a memory value with decimals

infrastructure/build

Priority Bug Summary
P3 JDK-8157758 JDK9 does not compile on Linux with GCC 6.1 because left-shifting a negative number has undefined behavior
P4 JDK-8374917 [8u] C++ flags get passed to C compiles in the HotSpot build
P4 JDK-8374899 [8u] Fully handle clang as the toolchain in flags.m4
P4 JDK-8376225 [8u] GHA: Apply work-around for missing JNF for MacOSX builds
P4 JDK-8374948 [8u] saproc & jsig builds add duplicate linker flags on Darwin/MacOS
P4 JDK-8369226 GHA: Switch to MacOS 15

infrastructure/release_eng

Priority Bug Summary
P4 JDK-8373250 Bump update version of OpenJDK: 8u492

security-libs/java.security

Priority Bug Summary
P4 JDK-8132786 java/security/cert/CertPathValidator/OCSP/AIACheck.java fails intermittently

security-libs/javax.net.ssl

Priority Bug Summary
P3 JDK-8369282 Distrust TLS server certificates anchored by Chunghwa ePKI Root CA

tools/launcher

Priority Bug Summary
P3 JDK-8074840 Resolve disabled warnings for libjli and libjli_static
P4 JDK-8353657 [8u] Test tools/launcher/VersionCheck.java fails with debug build