RELEASE NOTES: JDK 11.0.30

Notes generated: Thu Dec 04 21:08:30 CET 2025

JEPs

None.

RELEASE NOTES

security-libs/javax.net.ssl

Issue Description

Issue	Description
JDK-8245545	Disabled TLS_RSA Cipher Suites The TLSRSA cipher suites have been disabled by default, by adding "TLSRSA_" to the `jdk.tls.disabledAlgorithms` security property in the `java.security` configuration file. The TLSRSA cipher suites do not preserve forward-secrecy and are not commonly used. Some TLSRSA cipher suites are already disabled because they use DES, 3DES, RC4, or NULL, which are disabled. This action disables all remaining TLSRSA cipher suites. Any attempts to use cipher suites starting with "TLSRSA" will fail with an `SSLHandshakeException`. Users can, at their own risk, re-enable these cipher suites by removing "TLSRSA_" from the `jdk.tls.disabledAlgorithms` security property. The following previously enabled cipher suites are now disabled: `TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA`
JDK-8341964	Mechanism to Disable TLS Cipher Suites by Pattern Matching TLS cipher suites can be disabled with the `jdk.tls.disabledAlgorithms` security property in the `java.security` configuration file using one or more `` wildcard characters. For example, "TLSRSA" disables all cipher suites that start with "TLSRSA". Only cipher suites starting with "TLS_" are allowed to have wildcard characters.

Disabled TLS_RSA Cipher Suites

The TLSRSA cipher suites have been disabled by default, by adding "TLSRSA_" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. The TLSRSA cipher suites do not preserve forward-secrecy and are not commonly used. Some TLSRSA cipher suites are already disabled because they use DES, 3DES, RC4, or NULL, which are disabled. This action disables all remaining TLSRSA cipher suites. Any attempts to use cipher suites starting with "TLSRSA" will fail with an SSLHandshakeException. Users can, at their own risk, re-enable these cipher suites by removing "TLSRSA_" from the jdk.tls.disabledAlgorithms security property. The following previously enabled cipher suites are now disabled:

TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

JDK-8341964

Mechanism to Disable TLS Cipher Suites by Pattern Matching

TLS cipher suites can be disabled with the jdk.tls.disabledAlgorithms security property in the java.security configuration file using one or more * wildcard characters. For example, "TLSRSA*" disables all cipher suites that start with "TLSRSA". Only cipher suites starting with "TLS_" are allowed to have wildcard characters.

hotspot/runtime

Issue Description

Issue	Description
JDK-8313083	Print 'rss' and 'cache' As Part of the Container Information The HotSpot runtime code has been updated to additionally print a container's 'rss' and 'cache'. The additional output can be found in the JVM's response to a "jcmd [PID] VM.info" request and in the `hs_err` file generated in case of JVM abrupt termination. This will help monitoring and troubleshooting OutOfMemory situations as OOM killer can terminate a process if its `rss` + `cache` usage reaches the max memory limit of the container.

JDK-8313083

Print 'rss' and 'cache' As Part of the Container Information

The HotSpot runtime code has been updated to additionally print a container's 'rss' and 'cache'. The additional output can be found in the JVM's response to a "jcmd [PID] VM.info" request and in the hs_err file generated in case of JVM abrupt termination.

This will help monitoring and troubleshooting OutOfMemory situations as OOM killer can terminate a process if its rss + cache usage reaches the max memory limit of the container.

FIXED ISSUES

client-libs

Priority	Bug	Summary
P4	JDK-8271456	Avoid looking up standard charsets in "java.desktop" module
P5	JDK-8274893	Update java.desktop classes to use try-with-resources

client-libs/2d

Priority	Bug	Summary
P3	JDK-8263622	The java.awt.color.ICC_Profile#setData invert the order of bytes for the "head" tag
P3	JDK-8355528	Update HarfBuzz to 11.2.0
P4	JDK-8366359	Test should throw SkippedException when there is no lpstat

client-libs/javax.imageio

Priority	Bug	Summary
P3	JDK-8347911	Limit the length of inflated text chunks

client-libs/javax.sound

Priority	Bug	Summary
P3	JDK-8350813	Rendering of bulky sound bank from MIDI sequence can cause OutOfMemoryError

client-libs/javax.swing

Priority	Bug	Summary
P3	JDK-8213781	web page background renders blue in JEditorPane
P4	JDK-4895924	Strings in format #rgb not handled by Color.decode() (affects CSS / Swing)

core-libs/java.lang

Priority	Bug	Summary
P4	JDK-8368192	Test java/lang/ProcessBuilder/Basic.java#id0 fails with Exception: Stack trace

core-libs/java.net

Priority	Bug	Summary
P4	JDK-8359402	Test CloseDescriptors.java should throw SkippedException when there is no lsof/sctp

core-libs/java.util.concurrent

Priority	Bug	Summary
P4	JDK-8351933	Inaccurate masking of TC subfield decrement in ForkJoinPool

core-libs/java.util.jar

Priority	Bug	Summary
P4	JDK-8299748	java/util/zip/Deinflate.java failing on s390x

hotspot/compiler

Priority	Bug	Summary
P3	JDK-8354941	Build failure with glibc 2.42 due to uabs() name collision
P5	JDK-8257709	C1: Double assignment in InstructionPrinter::print_stack

hotspot/gc

Priority	Bug	Summary
P4	JDK-8366125	[11u] Test compiler/loopopts/TestRangeCheckPredicatesControl.java fails OOM

hotspot/runtime

Priority	Bug	Summary
P3	JDK-8347129	cpuset cgroups controller is required for no good reason
P3	JDK-8313083	Print 'rss' and 'cache' as part of the container information
P4	JDK-8264524	jdk/internal/platform/docker/TestDockerMemoryMetrics.java fails due to swapping not working

hotspot/test

Priority	Bug	Summary
P4	JDK-8358004	Delete applications/scimark/Scimark.java test

infrastructure/build

Priority	Bug	Summary
P3	JDK-8357657	[11u][windows] cannot stat '/jdk.crypto.ec/*': No such file or directory
P4	JDK-8336451	[11u] GHA macos-13 and macos-15 builders are unable to resolve local hostname
P4	JDK-8224087	Compile C code for at least C99 Standard compliance
P4	JDK-8369226	GHA: Switch to MacOS 15
P4	JDK-8341861	GHA: Use only retention mechanism to remove bundles

infrastructure/release_eng

Priority	Bug	Summary
P4	JDK-8366572	Bump update version of OpenJDK: 11.0.30

other-libs

Priority	Bug	Summary
P4	JDK-8364597	Replace THL A29 Limited with Tencent

security-libs/java.security

Priority	Bug	Summary
P4	JDK-8336854	CAInterop.java#actalisauthenticationrootca conflicted with /manual and /timeout
P4	JDK-8368982	Test sun/security/tools/jarsigner/EC.java completed and timed out

security-libs/javax.net.ssl

Priority	Bug	Summary
P3	JDK-8341964	Add mechanism to disable different parts of TLS cipher suite
P3	JDK-8245545	Disable TLS_RSA cipher suites

security-libs/jdk.security

Priority	Bug	Summary
P3	JDK-8353299	VerifyJarEntryName.java test fails
P4	JDK-8339280	jarsigner -verify performs cross-checking between CEN and LOC
P4	JDK-8367782	VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName