JDK 12 Early-Access Release Notes

Last Update: 2018/10/18

This is a draft of the release notes that will accompany JDK 12. The contents are subject to change until release.

Build 16

New disallow and allow options for the java.security.manager system property (JDK-8191053)


New "disallow" and "allow" token options have been added to the java.security.manager system property. In the JDK implementation, if the Java virtual machine is started with the system property java.security.manager set to "disallow" then the System.setSecurityManager method cannot be used to set a security manager and will throw an UnsupportedOperationException. The "disallow" option can improve run-time performance for applications that never set a security manager. For further details on the behavior of these options, see the class description of java.lang.SecurityManager.

Build 14

Support dns_canonicalize_hostname in krb5.conf (JDK-8210821)


The dns_canonicalize_hostname flag in the krb5.conf configuration file is now supported by the JDK Kerberos implementation. When set to "true", a short hostname in a service principal name will be canonicalized to a fully qualified domain name if available. Otherwise, no canonicalization is performed. The default value is "true". This is also the behavior before JDK 12.

Removal of com.sun.awt.SecurityWarning Class (JDK-8210692)


The com.sun.awt.SecurityWarning class was deprecated forRemoval=true in JDK 11 (JDK-8205588). This class was unused in the JDK and has been removed in this release.

Build 12

ChaCha20 and Poly1305 TLS Cipher Suites (JDK-8140466)


New TLS cipher suites using the ChaCha20-Poly1305 algorithm have been added to JSSE. These cipher suites are enabled by default. The TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3. The following cipher suites are available for TLS 1.2: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, and TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256.

Please refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for more details on these new TLS cipher suites.

Build 11

Added Additional TeliaSonera Root Certificate (JDK-8210432)


The following root certificate have been added to the OpenJDK cacerts truststore:

  • TeliaSonera
    • teliasonerarootcav1

      DN: CN=TeliaSonera Root CA v1, O=TeliaSonera

Build 8

Disabled All DES TLS Cipher Suites (JDK-8208350)


DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the jdk.tls.disabledAlgorithms security property. These cipher suites can be reactivated by removing "DES" from the jdk.tls.disabledAlgorithms security property in the java.security file or by dynamically calling the Security.setProperty() method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the SSLSocket.setEnabledCipherSuites() or SSLEngine.setEnabledCipherSuites() methods.

Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the jdk.tls.disabledAlgorithms security property.