JDK 17 Early-Access Release Notes

This is a draft of the release notes that will accompany JDK 17. The contents are subject to change until release.

Build 21

System property for the native character encoding name (JDK-8265989)


A new system property native.encoding has been introduced. This system property provides the underlying host environment's character encoding name. For example, typically it has UTF-8 in Linux and macOS platforms, and Cp1252 in Windows (en-US). Refer to the CSR for more detail.

Disable SHA-1 JARs (JDK-8196415)


JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.

In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.
  • Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included by default in the JDK cacerts keystore will not be restricted.

These exceptions may be removed in a future JDK release.

Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or overriding it using the java.security.properties system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

Build 20

Console charset API (JDK-8264208)


java.io.Console has been updated to define a new method that returns the Charset for the console. The returned Charset may be different from the one returned from Charset.defaultCharset() method. For example, it returns IBM437 while Charset.defaultCharset() returns windows-1252 on Windows (en-US). Refer to the CSR for more detail.

Build 19

Support for CLDR Version 39 (JDK-8258794)


Locale data based on Unicode Consortium's CLDR has been upgraded to version 39. For the detailed locale data changes, please refer to the Unicode Consortium's CLDR release notes:

Build 18

Provide the support for specifying a signer in keytool -genkeypair command (JDK-8260693)


The -signer and -signerkeypass options have been added to the -genkeypair command of the keytool utility. The -signer option specifies the keystore alias of a PrivateKeyEntry for the signer and the -signerkeypass option specifies the password used to protect the signer’s private key. These options allow keytool -genkeypair to sign the certificate using the signer’s private key. This is especially useful for generating a certificate with a key agreement algorithm as its public key algorithm.

Build 13

Collections.unmodifiable* methods are idempotent for their corresponding collection. (JDK-6323374)


The unmodifiable* methods in java.util.Collections will no longer re-wrap a given collection with an unmodifiable view if that collection has already been wrapped by same method.

Disable SHA-1 XML Signatures (JDK-8259709)


XML signatures that use SHA-1 based digest or signature algorithms have been disabled by default. SHA-1 is no longer a recommended algorithm for digital signatures. If necessary, and at their own risk, applications can workaround this policy by modifying the jdk.xml.dsig.secureValidationPolicy security property and re-enabling the SHA-1 algorithms.

Build 12

Deprecate 3DES and RC4 in Kerberos (JDK-8139348)


The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set "allow_weak_crypto = true" in the krb5.conf configuration file to re-enable them (along with other weak etypes including des-cbc-crc and des-cbc-md5) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of default_tkt_enctypes, default_tgs_enctypes, or permitted_enctypes settings.

Build 11

Updated keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280 (JDK-8257497)


The gencert command of the keytool utility has been updated to create AKID from the SKID of the issuing certificate as specified by RFC 5280.

Build 10

Deprecate the socket impl factory mechanism (JDK-8235139)


The following static methods to set the system-wide socket implementation factories have been deprecated:

  • static void ServerSocket.setSocketFactory​(SocketImplFactory fac)
  • static void Socket.setSocketImplFactory​(SocketImplFactory fac)
  • static void DatagramSocket.setDatagramSocketImplFactory​(DatagramSocketImplFactory fac)

These API points were used to statically configure a system-wide factory for the corresponding socket types in the java.net package. These methods have mostly been obsolete since Java 1.4.

Build 9

Removed Telia Company's Sonera Class2 CA certificate (JDK-8225081)


The following root certificate have been removed from the cacerts truststore:

+ Telia Company
  + soneraclass2ca
    DN: CN=Sonera Class2 CA, O=Sonera, C=FI

Build 8

Added 2 HARICA Root CA Certificates (JDK-8256421)


The following root certificates have been added to the cacerts truststore:

  + haricarootca2015
    DN: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR

  + haricaeccrootca2015
    DN: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR

Enable XML Signature secure validation mode by default (JDK-8259801)


The XML Signature secure validation mode has been enabled by default (previously it was not enabled by default unless running with a security manager). When enabled, validation of XML signatures are subject to stricter checking of algorithms and other constraints as specified by the jdk.xml.dsig.secureValidationPolicy security property.

If necessary, and at their own risk, applications can disable the mode by setting the org.jcp.xml.dsig.secureValidation property to Boolean.FALSE with the DOMValidateContext.setProperty() API.

Configurable extensions with system properties (JDK-8217633)


Two new system properties have been added. The system property, "jdk.tls.client.disableExtensions", is used to disable TLS extensions used in the client. The system property, "jdk.tls.server.disableExtensions", is used to disable TLS extensions used in the server. If an extension is disabled, it will be neither produced nor processed in the handshake messages.

The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored.

Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to be established if a mandatory extension is disabled. Please do not disable mandatory extensions, and do not use this feature unless you clearly understand the impact.

Build 7

New system property to enable the OCSP Nonce Extension (JDK-8256895)


A new system property jdk.security.certpath.ocspNonce has been added to enable the OCSP Nonce Extension. This system property is disabled by default, and can be enabled by setting it to the value true. If set to true, the JDK implementation of PKIXRevocationChecker includes a nonce extension containing a 16 byte nonce with each OCSP request. See RFC 8954 for more details on the OCSP Nonce Extension.

Build 6

TreeMap.computeIfAbsent Mishandles Existing Entries Whose Values Are null (JDK-8259622)


Enhancement JDK-8176894 inadvertently introduced erroneous behavior in the TreeMap.computeIfAbsent method. The other TreeMap methods that were modified by this enhancement are unaffected. The erroneous behavior is that, if the map contains an existing mapping whose value is null, the computeIfAbsent method immediately returns null. To conform with the specification, computeIfAbsent should instead call the mapping function and update the map with the function's result.

jarsigner tool warns if weak algorithms are used in signer’s certificate chain (JDK-8259401)


The jarsigner tool has been updated to warn users when weak keys or cryptographic algorithms are used in certificates of the signer’s certificate chain.

Build 3

Clarify the Specification of KeyStoreSpi.engineStore(KeyStore.LoadStoreParameter) and in KeyStore.store(KeyStore.LoadStoreParameter) Methods (JDK-8246005)


The specifications of the KeyStoreSpi.engineStore(KeyStore.LoadStoreParameter param) and KeyStore.store(KeyStore.LoadStoreParameter param) methods have been updated to specify that an UnsupportedOperationException is thrown if the implementation does not support the engineStore() operation. This change adjusts the specification to match the existing behavior.

Not Yet Integrated

macOS on ARM early access available (JDK-8266858)


A new macOS is now available for ARM systems. The ARM port should behave similarly to the Intel port. There are no known feature differences. When reporting issues on macOS please specify if using ARM or x64.

Modernization of Ideal Graph Visualizer (JDK-8254145)


Ideal Graph Visualizer (IGV), a tool to explore visually and interactively the intermediate representation used in the HotSpot VM C2 just-in-time (JIT) compiler, has been modernized. Enhancements include:

  • support for running IGV on up to JDK 15 (the latest version supported by IGV's underlying NetBeans Platform);
  • a faster, Maven-based IGV build system;
  • stabilization of block formation, group removal, and node tracking;
  • more intuitive coloring and node categorization in default filters; and
  • ranked quick node search with more natural default behavior.

The modernized IGV is partially compatible with graphs generated from earlier JDK releases: it supports basic functionality such as graph loading and visualization, but auxiliary functionality such as node clustering and coloring might be affected.

Details about building and running IGV are available in the src/utils/IdealGraphVisualizer/README.md file in the tool's source directory.


URL FTP Protocol Handler: IPv4 Address Validation in Passive Mode (JDK-8258432)


Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client.

The following system property has been added for validation of server addresses in FTP passive mode.

  • jdk.net.ftp.trustPasvAddress.

In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected.

To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command

New System and Security Properties to Control Reconstruction of Remote Objects by JDK's Built-in JNDI RMI and LDAP Implementations (JDK-8244473)


jdk.jndi.object.factoriesFilter: This system and security property allows a serial filter to be specified that controls the set of object factory classes permitted to instantiate objects from object references returned by naming/directory systems. The factory class named by the reference instance is matched against this filter during remote reference reconstruction. The filter property supports pattern-based filter syntax with the format specified by JEP 290. This property applies both to the JNDI/RMI and the JNDI/LDAP built-in provider implementations. The default value allows any object factory class specified in the reference to recreate the referenced object.

com.sun.jndi.ldap.object.trustSerialData: This system property allows control of the deserialization of java objects from the javaSerializedData LDAP attribute. To prevent deserialization of java objects from the attribute, the system property can be set to false value. By default, deserialization of java objects from the javaSerializedData attribute is allowed.