RMI will use TLS connections if the
javax.rmi.ssl.SslRMIClientSocketFactory class is
used. These connections now have TLS endpoint identification
enabled by default. This may cause some previously-working TLS
connections to fail. If this occurs, ensure that the certificate
presented by the server has a Subject Alternative Name
that matches the server's hostname. Alternatively, endpoint
identification for RMI TLS connections can be disabled on the
client side by setting the
jdk.rmi.ssl.client.enableEndpointIdentification system
property to false.
JDK 25.0.2 Release Notes
New Features
Endpoint Identification Enabled by Default for RMI Connections over TLS (JDK-8341496 (not public))
Notable Issues Fixed
-XX:+UseTransparentHugePages Again Enables Transparent Huge Pages for G1 (JDK-8366434)
G1, the default garbage collector, can again properly utilize
Transparent Huge Pages (THP) on systems with the THP mode
configured as madvise.
The issue preventing the option
-XX:+UseTransparentHugePages from enabling THP has
been resolved.
Other Notes
Filter Rules for URIs in the Authority Info Access Extension for Certificates (JDK-8368032 (not public))
A new system and security property,
com.sun.security.allowedAIALocations, has been
introduced. This property allows users the ability to define one or
more filtering rules to be applied to URIs obtained from the
authority info access extension on X.509 certificates. These filter
rules are applied specifically to the CA issuers access method. Any
CA issuers URIs in X.509 certificates are only followed when the
com.sun.security.enableAIAcaIssuers system property is
enabled and the filter allows the URI.
In order to set the rules, the user must set either the
com.sun.security.allowedAIALocations security property
or the system property by the same name. If the system property has
a value, it will override the security property. By default the
property is blank, which enacts a deny-all ruleset.
For either property, the value consists of a set of space-separated rules that take the form of a URI, with the following constraints:
- The URI must be absolute and hierarchical.
- The URI must only use one of the following schemes: http, https, ldap, or ftp (case-insensitive).
- A hostname or address must be specified and must match (case-insensitive). No name resolution is performed on hostnames to match URIs with IP addresses.
- The port number must match. Where a port number is omitted, the well-known port will be used in the comparison.
- For hierarchical schemes (http
s(link not found), ftp):- A rule's normalized path portion of the URI is matched in a
case-sensitive manner. If the final component does not end in a
slash (/), it is considered to be a file path and must match the CA
issuer URI path component. If the rule's path component ends in a
slash, then it must match or be a prefix of the CA issuer URI path
component. (for example, a filter path of
/ab/cd/will match a CA issuer path of/ab/cd/,/ab/cd/efand/ab/cd/ef/ghi.). - Query strings and fragments will be ignored when matching CA issuer URIs.
- A rule's normalized path portion of the URI is matched in a
case-sensitive manner. If the final component does not end in a
slash (/), it is considered to be a file path and must match the CA
issuer URI path component. If the rule's path component ends in a
slash, then it must match or be a prefix of the CA issuer URI path
component. (for example, a filter path of
- For ldap URIs:
- The base DN must be an exact match (case-insensitive).
- Any query string in the rule, if specified, will be ignored.
For the properties, a single value of "any" (case-insensitive) will create an allow-all rule.
