Chapter 2. Eclipse Temurin features

Eclipse Temurin does not contain structural changes from the upstream distribution of OpenJDK.

For the list of changes and security fixes included in the latest OpenJDK 17 release of Eclipse Temurin, see OpenJDK 17.0.4 Released.

New features and enhancements

Review the following release notes to understand new features and feature enhancements included with the Eclipse Temurin 17.0.4 release:

HTTPS channel binding support for Java Generic Security Services (GSS) or Kerberos

The OpenJDK 17.0.4 release supports TLS channel binding tokens when Negotiate selects Kerberos authentication over HTTPS by using

Channel binding tokens are required, because of man in the middle (MITM) attacks. A channel binding token is an enhanced form of security that can mitigate certain kinds of socially engineered attacks.

A MITM operates by communicating from a client to a server. A client creates a connection between security, such as TLS server certificate, and higher-level authentication credentials, such as a username and a password. The server detects if a MITM has implicated a client, so the server shut downs the connection.

The jdk.https.negotiate.cbt system property controls this feature. See, Misc HTTP URL stream protocol handler properties (Oracle documentation).

See, JDK-8285240 (JDK Bug System).

Incorrect handling of quoted arguments in ProcessBuilder

Before the OpenJDK 17.0.4 release, arguments to ProcessBuilder on Microsoft Windows that contained opening double quotation marks ("), a backslash (\), and closing double quotation marks ("), caused the command to fail. For example, the command prompt on Microsoft Windows would not correctly process the argument "C:\\Program Files\", because the argument contained closing double quotation marks.

The OpenJDK 17.0.4 release resolves this issue by restoring any arguments that contained double quotation marks to ProcessBuilder to an earlier required behavior. ProcessBuilder no longer applies any special treatment to an argument that includes a backslash (\) before the closing double quotation marks.

See, JDK-8283137 (JDK Bug System).

Default JDK compressor closes when IOException is encountered

The OpenJDK 17.0.4 release, modifies the DeflaterOutputStream.close() and GZIPOutputStream.finish() methods. This update closes the associated default JDK compressor before propagating a Throwable class to a stack.

The release also modifies the ZIPOutputStream.closeEntry() method. This update closes the associated default JDK compressor before propagating an IOException message, not of type ZipException, to a stack.

See, JDK-8278386 (JDK Bug System).

New system property to disable Microsoft Windows Alternate Data Stream support in

The Microsoft Windows implementation of provides access to NTFS Alternate Data Streams (ADS) by default. These streams follow the format filename:streamname. The OpenJDK 17.0.4 release adds a system property. With this system property, you can disable ADS support in, by setting the system property to false.


Disabling ADS support in results in stricter path checking that prevents the use of special device files, such as NUL:.

See, JDK-8285660 (JDK Bug System).

Revised on 2023-11-03 09:30:40 UTC