Chapter 3. Red Hat build of OpenJDK features

A new -groupname option has been added to the keytool -genkeypair command. Use the -groupname option to specify a named elliptic curve (EC) group when generating a key pair.

For example, the following command generates an EC key pair using the secp384r1 curve: keytool -genkeypair -keyalg EC -groupname secp384r1

It is recommended that you use the -groupname option over the -keysize option, because there might be multiple curves of the same size.

For more information, see JDK-8213821.

The named elliptic curve groups x25519 and x448 are now available for JSSE key agreement in TLS versions 1.0 to 1.3.

The curve group x25519 is the most preferred of the default enabled named groups. The default ordered list is as follows:

Use the system property jdk.tls.namedGroups to override the default list.

For more information, see JDK-8225764.

A native GSS-API library has been added to JDK on the Windows platform. The library is client-side only and uses the default credentials. It is activated by setting the sun.security.jgss.native system property to "true". A user can still make use of a third-party native GSS-API library instead by setting the system property sun.security.jgss.lib to its path.

For more information, see JDK-8214079.

When signing a file that contains POSIX file permission or symlink attributes, jarsigner now preserves these attributes in the newly signed file but warns that these attributes are unsigned and not protected by the signature. The same warning is printed during the jarsigner -verify operation for such files.

For more information, see JDK-8248263.

Revised on 2024-05-09 16:46:18 UTC