Full release notes: https://bitly.com/openjdk1108
The following expired Comodo root CA certificate was removed from the
cacerts keystore: +
alias name "addtrustclass1ca [jdk]"
Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
The following expired DocuSign root CA certificate was removed from the
cacerts keystore: +
alias name "keynectisrootca [jdk]"
Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Prior to this change, the SunPKCS11 provider would throw a RuntimeException with the message: "FIPS flag set for non-internal module" when such a library was configured for NSS in non-FIPS mode.
This change allows the JDK to work properly with recent NSS releases in GNU/Linux operating systems when the system-wide FIPS policy is turned on.
Further information can be found in JDK-8238555.
In JDK 11 and later,
javax.net.ssl.SSLEngine by default used client
mode when handshaking. As a result, the set of default enabled
protocols may differ to what is expected.
SSLEngine would usually be
used in server mode. From this JDK release onwards,
default to server mode. The
javax.net.ssl.SSLEngine.setUseClientMode(boolean mode) method may
be used to configure the mode.
Two new System Properties are added to customize the TLS signature
schemes in JDK.
jdk.tls.client.SignatureSchemes is added for TLS
client side, and
jdk.tls.server.SignatureSchemes is added for server
Each System Property contains a comma-separated list of supported signature scheme names specifying the signature schemes that could be used for the TLS connections.
The names are described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification.
sudo dnf upgrade --advisory=FEDORA-2020-93cc9c3ef2
Please login to add feedback.