Chapter 3. Red Hat build of OpenJDK features
3.1. New features and enhancements
This section describes the new features introduced in this release. It also contains information about changes in the existing features.
For all the other changes and security fixes, see https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-January/004689.html.
3.1.1. Added -groupname
option to keytool key pair generation command
A new -groupname
option has been added to the keytool -genkeypair
command. Use the -groupname
option to specify a named elliptic curve (EC) group when generating a key pair.
For example, the following command generates an EC key pair using the secp384r1 curve: keytool -genkeypair -keyalg EC -groupname secp384r1
It is recommended that you use the -groupname
option over the -keysize
option, because there might be multiple curves of the same size.
For more information, see JDK-8213821.
3.1.2. Added support for X25519
and X448
in TLS
The named elliptic curve groups x25519
and x448
are now available for JSSE key agreement in TLS versions 1.0 to 1.3.
The curve group x25519
is the most preferred of the default enabled named groups. The default ordered list is as follows:
-
x25519
-
secp256r1
-
secp384r1
-
secp521r1
-
x448
-
secp256k1
-
ffdhe2048
-
ffdhe3072
-
ffdhe4096
-
ffdhe6144
-
ffdhe8192
Use the system property jdk.tls.namedGroups
to override the default list.
For more information, see JDK-8225764.
3.1.3. Added default native GSS-API library on Windows
A native GSS-API library has been added to JDK on the Windows platform. The library is client-side only and uses the default credentials. It is activated by setting the sun.security.jgss.native
system property to "true". A user can still make use of a third-party native GSS-API library instead by setting the system property sun.security.jgss.lib
to its path.
For more information, see JDK-8214079.
3.1.4. Added jarsigner
to preserve POSIX file permission and symlink attribute
When signing a file that contains POSIX file permission or symlink attributes, jarsigner
now preserves these attributes in the newly signed file but warns that these attributes are unsigned and not protected by the signature. The same warning is printed during the jarsigner -verify
operation for such files.
The jar
tool does not read or write these attributes. This change is more visible to tools like unzip
where these attributes are preserved.
For more information, see JDK-8248263.
Revised on 2024-05-09 16:46:18 UTC