JDK 11.0.1 Release Notes

Java Development Kit 11 Release Notes

Java™ SE Development Kit 11.0.1 (JDK 11.0.1)

October 16, 2018

The full version string for this update release is 11.0.1+13 (where "+" means "build"). The version number is 11.0.1.

IANA Data 2018e

JDK 11.0.1 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.1 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.1+13
10 10.0.99
9 9.0.99
8 1.8.0_191-b12
7 1.7.0_201-b11
6 1.6.0_211-b11

Oracle JDK Expiration Date

The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.1) will expire with the release of the next critical patch update scheduled for January 15, 2019.


 Added Additional TeliaSonera Root Certificate

The following root certificate have been added to the OpenJDK cacerts truststore:

  • TeliaSonera
    • teliasonerarootcav1

      DN: CN=TeliaSonera Root CA v1, O=TeliaSonera

See JDK-8210432

 Improve LDAP support

Endpoint identification has been enabled on LDAPS connections.

To improve robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.

Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.

Define this system property (or set it to true) to disable endpoint identification algorithms.

JDK-8200666 (not public)

 Changed Central File System Location for usagetracker.properties File

The file system location in Windows for the usagetracker.properties file has been moved from %ProgramData%\Oracle\Java\ to %ProgramFiles%\Java\conf

There is no change in the file path for Linux, Solaris, or macOS.

JDK-8204901 (not public)

 Problem looking up Client Certificates in keystore

Prior to JDK 8u261, the JSSE framework passed an array of Strings of all keytypes in one call to the (delegate) javax.net.ssl.X509KeyManager.chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) implementation when client authentication is present in an application. Since JDK 8u261, the internal JDK libraries may call the delegate javax.net.ssl.X509KeyManager.chooseClientAlias method in multiple iterations while performing client authentication. One key type per call. https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias-java.lang.String:A-java.security.Principal:A-java.net.Socket-

If application code implements javax.net.ssl.X509KeyManager, ensure that the code logic in that implementation does not assume that all keytypes are passed in the keyType String array in the first call to chooseClientAlias: String chooseClientAlias​(String[] keyType, Principal[] issuers, Socket socket)

See JDK-8261624

 Disabled All DES TLS Cipher Suites

DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the jdk.tls.disabledAlgorithms security property. These cipher suites can be reactivated by removing "DES" from the jdk.tls.disabledAlgorithms security property in the java.security file or by dynamically calling the Security.setProperty() method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the SSLSocket.setEnabledCipherSuites() or SSLEngine.setEnabledCipherSuites() methods.

Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the jdk.tls.disabledAlgorithms security property.

See JDK-8208350

 Improved Cipher Inputs

The specification of javax.crypto.CipherInputStream has been clarified to indicate that this class may catch BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client may not be informed that integrity checks failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (e.g. GCM). Applications that require authenticated encryption can use the Cipher API directly as an alternative to using this class.

JDK-8201756 (not public)

Bug Fixes

The following are some of the notable bug fixes included in this release:


LDAPS Communication Failure 
Application code using LDAPS with a socket connect timeout that is <= 0 (the default value) may encounter an exception when establishing the connection.

The top most frames from Exception stack traces of applications encountering such issues might resemble the following:

javax.naming.ServiceUnavailableException: <server:port>; socket closed
at   com.sun.jndi.ldap.Connection.readReply(Unknown Source)
at   com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)

See JDK-8211107


Better HTTP Redirection Support 
In this release, the behavior of methods which application code uses to set request properties in java.net.HttpURLConnection has changed. When a redirect occurs automatically from the original destination server to a resource on a different server, then all such properties are cleared for the redirect and any subsequent redirects. If these properties are required to be set on the redirected requests, then the redirect responses should be handled by the application by calling HttpURLConnection.setInstanceFollowRedirects(false) for the original request.

JDK-8196902 (not public)

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.1 Bug Fixes page.