JDK 24 Early-Access Release Notes

The locale data based on the Unicode Consortium's CLDR has been upgraded to version 46. Besides the usual addition of new locale data and translation changes, there are notable changes from the upstream CLDR, affecting Date/Time/Number formattings:

• First day of week is Monday in UAE [CLDR-15697]{https://unicode-org.atlassian.net/browse/CLDR-15697)
• Default numbering system for Arabic in non-Arabic-speaking locations CLDR-17553
• Comma is added for some date formatting patterns CLDR-17812 -
• Some time zone names changed due to them becoming links to other zones CLDR-17960

Note that locale data is subject to change in a future release of the CLDR. Although not all locale data changes affect the JDK, users should not assume stability across releases. For more details, please refer to the Unicode Consortium's CLDR release notes and their locale data deltas.

The jar tool's extract operation has been enhanced to allow the --keep-old-files or the -k options to be used to preventing overwriting existing files.

Example Usages:

jar xkf foo.jar

or

jar --extract --keep-old-files --file foo.jar

Either of these commands will extract the foo.jar, and if an entry with the same name already exist in the target directory, then the existing file will not be overwritten.

The java.net.http.HttpClient will now report HTTP/2 flow control errors to the server when they are detected. This is an implementation detail that should be transparent to users of the HttpClient API, but could result in streams being reset or connections being closed if connecting to a non-conformant HTTP/2 server.

The jar tool's extract operation has been enhanced to allow the --dir or the -C options to be used to specify the directory where the archive will be extracted.

Example Usages:

jar -xf foo.jar -C /tmp/bar/

or

jar --extract --file foo.jar --dir /tmp/bar/

Either of these commands will extract the foo.jar to the /tmp/bar directory.

jrunscript tool has been deprecated and will be removed in a future release. Usage of this tool will now print a deprecation warning.

The JDK1.1 compatible behavior for "EST", "MST", and "HST" time zones has been removed. The behavior was enabled by setting the sun.timezone.ids.oldmapping system property, which is a no-op in this release.

IANA Time Zone Database has been upgraded to 2024b. This version mainly includes changes to improve historical data for Mexico, Mongolia, and Portugal. It also changes one timestamp abbreviation, for the time zone 'MET'. Also Asia/Choibalsan is now an alias for Asia/Ulaanbaatar.

The new tzdata changes also impact some legacy zone IDs. Mapping of EST/MST/HST in java.itme.ZoneId.SHORT_IDS have changed from fixed offset zones to the links to other existing time zones with 2024b. "EST" now links to "America/Panama", "HST" links to "Pacific/Honolulu" and "MST" links to "America/Phoenix". Parsing of the short zone names "EST", "MST", and "HST" is not affected by this change. Further details are available at JDK-8340138

The following root certificates have been added to the cacerts truststore:

+ SSL.com
  + ssltlsrootecc2022
    DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US

+ SSL.com
  + ssltlsrootrsa2022
    DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US

The java.security security properties file and those referred to by the java.security.properties system property now support including other properties files. The directive include <path-to-a-file> can be used for this purpose. The effect of including a file is equivalent to defining its properties inline at the inclusion point. See more information and examples in the Security Properties Files Inclusion section of the Security Developer Guide and in JDK-8319333.

As a result of this change, the name include can no longer be used to define a property in a security properties file. If the name include is passed to the java.security.Security::getProperty or ::setProperty APIs, an IllegalArgumentException is thrown.

The debugd subcommand of the jhsdb tool is deprecated, for removal in a future release. jhsdb debugd is an RMI server which provides a remote interface for other jhsdb commands. Those commands use the --connect option which is therefore also deprecated for removal. This will not affect usage of jhsdb for debugging local VMs or core files.

A new JDK-specific monitoring and management interface jdk.management.VirtualThreadSchedulerMXBean has been added to allow Java Management Extension (JMX) based tooling monitor and manage the virtual thread scheduler. The interface supports monitoring the virtual thread scheduler's target parallelism, the threads used by the scheduler, and the number of virtual threads queued to the scheduler. It also supports dynamically changing the scheduler's target parallelism.

Some javax.management classes contained a feature for Serialization compatibility with very old JMX releases (1.0, 1.1, 1.2), which are from before JMX was an integrated part of the JDK (in JDK 5). This was enabled using the jmx.serial.form system property.

This compatibility logic offered no value, and only added complexity, so has been removed. This will not affect any JMX features, or any interactions between JMX features in different JDKs.

The Java Virtual Machine Specification is permissive regarding the number of entries of the RuntimeVisibleParameterAnnotations and RuntimeInvisibleParameterAnnotations attributes in the class file format. The javac tool was less permissive, and was rejecting class files that had a different number of entries than javac expected.

With JDK 24, this is fixed, and javac now accepts class files with any number of entries in the RuntimeVisibleParameterAnnotations and RuntimeInvisibleParameterAnnotations attributes. A compile-time warning is produced if the content of the attributes cannot be mapped to the corresponding method's parameters.

The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.

TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.

The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.

An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:

TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Entrust Root certificates included in the JDK:

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.

java.net.http.HttpClient would previously timeout if a server didn’t respond to a request which included a Expect: 100-Continue header. 
This release updates HttpClient to send the request body if the server doesn’t respond and brings the implementation in line with RFC 9110

JDK's java.desktop module has internal code that interoperates with multiple versions of the GTK platform library. This is primarily to support the Swing GTK LookAndFeel.

The JDK previously included support for interoperating with the GTK 2 version of the library, which is reaching the end of its life. GTK 3 long ago superseded it and is supported by JDK as the preferred default, in which case to use GTK 2, apps must request it using the jdk.gtk.version System property. And since many recent distros make GTK 2 only an optional install, it may require extra work to use it, and future distros will likely not provide any way to install it.

Since all versions of Linux to be supported by JDK 24 provide GTK3, GTK2 support in JDK is now removed.

Setting the jdk.gtk.version System property to 2 or 2.2 will no longer have any effect, GTK 3 will be loaded.

Reflectively invoking VarHandle signature polymorphic methods is specified to throw UnsupportedOperationException. However, the implementation previously threw UnsatisfiedLinkError in such case. The behavior was adjusted to conform to the specification.

Command line arguments to the Java launcher are no longer converted with Windows' "best-fit" mapping when the arguments include unmappable characters for the ANSI code page. This mapping has been intervening in the Java launcher's argument parsing. Unmappable characters are now replaced with the default replacement character, such as '?' in some cases. For rare cases, where applications need those unmappable characters on the command line, select UTF-8 in Windows Regional Settings.

The javadoc for SSLSessionContext has been reworded to make it clear that when the timeout limit is exceeded for a session, the object is marked so that future connections cannot resume or rejoin the session. Active sessions can continue to be used so long as resume and rejoin operations are not attempted.

In previous releases, MethodTypeDesc.resolveConstantDesc threw an unchecked TypeNotPresentException instead of a checked ReflectiveOperationException when a component class was not found. This behavior is now corrected to throw a ClassNotFoundException, conforming to the specification.

Code that previously handled TypeNotPresentException in addition to ReflectiveOperationException can consolidate the exception handling into the existing ReflectiveOperationException handling.

A new overloaded method java.lang.Process#waitFor(Duration) has been added. Existing waitFor() method with timeout needs both a primitive time out value and its unit. The new method uses java.time.Duration so that the user will not be confused with the unit.

The SunPKCS11 provider has been enhanced to support the following AES CTS transformations for the Cipher service type:

• AES/CTS/NoPadding
• AES_128/CTS/NoPadding
• AES_192/CTS/NoPadding
• AES_256/CTS/NoPadding

The Addendum to NIST Special Publication 800-38A defines three variants of Ciphertext Stealing for CBC mode: CBC-CS1, CBC-CS2, and CBC-CS3. To ensure interoperability with SunJCE and Kerberos which use the CS3 variant, the SunPKCS11 provider needs to know the variant implemented by the underlying PKCS #11 library and convert the data if it is not in the CS3 variant. A new SunPKCS11 provider configuration attribute named cipherTextStealingVariant is introduced and must be set with any of the following values: CS1, CS2 or CS3 to indicate the CTS variant of the underlying PKCS #11 library, except for NSS as it is known to be CS1. Otherwise, the PKCS #11 CKM_AES_CTS mechanism is disabled.

A new section for PSSParameterSpec algorithm names has been added to the Java Security Standard Algorithm Names specification. This section lists the standard hash and message generation function (MGF) algorithms that can be specified when initializing an RSASSA-PSS signature with a PSSParameterSpec object.

DecimalFormat, when the format expects a suffix, now parses correctly when the parse value contains a decimal symbol and isParseIntegerOnly() would return true. Previously, parsing would fail for such cases and the correct value never returned.

For example, in the following snippet, 5 will now be returned by the parse(String) invocation, instead of a ParseException thrown.

    NumberFormat fmt = NumberFormat.getPercentInstance(Locale.US);
    fmt.setParseIntegerOnly(true);
    fmt.parse("500.55%");

The jstatd tool is deprecated, for removal in a future release. jstatd is an RMI server application which monitors HotSpot VMs, and provides a remote interface for jstat. This will not affect usage of jstat for monitoring local VMs using the Attach API.

A new lightweight locking mechanism for object monitor locking was introduced in JDK 21 under JDK-8291555. The LockingMode flag was introduced to allow selection of this new mechanism (LM_LIGHTWEIGHT, value 2) in place of the default mechanism (LM_LEGACY, value 1). In JDK 23, the LockingMode default was changed to LM_LIGHTWEIGHT.

In JDK 24, the LockingMode flag, along with the LM_LEGACY (1) and LM_MONITOR (0) modes are deprecated. The default locking mode LM_LIGHTWEIGHT will be the only internal implementation that is supported when these locking modes become obsolete in a future release.

This is not expected to change any semantic behavior of Java monitor locking and it is expected to be performance neutral for almost all applications.

TLS cipher suites can be disabled with the jdk.tls.disabledAlgorithms security property in the java.security configuration file using one or more "" wildcard characters. For example, "TLS_RSA_" disables all cipher suites that start with "TLS_RSA_". Only cipher suites starting with "TLS_" are allowed to have wildcard characters.