Security Updates

Security Updates in JDK 17

The following are the notable security updates in JDK 17:

See Release Notes for additional information on security-related changes.

Security Updates in JDK 16

The following are the notable security updates in JDK 16:

See Release Notes for additional information on security-related changes.

Security Updates in JDK 15

The following are the noteable security updates in JDK 15:

A new signature scheme Edwards-Curve Digital Signature Algorithm (EdDSA) is implemented, which is a modern elliptic curve signature scheme that has several advantages over the existing signature schemes in the JDK. This new signature scheme does not replace ECDSA. See JEP 339: Edwards-Curve Digital Signature Algorithm (EdDSA).
SunJCE provider now supports SHA-3 based Hmac algorithms
New System Properties to Configure the TLS Signature Schemes
Support the certificate_authorities extension

See Release Notes for additional information on security related changes.

Security Updates in JDK 14

The following are the noteable security updates in JDK 14:

See Release Notes for additional information on security related changes.

Security Updates in JDK 13

The following were removed from JDK 13:

Removal of Security Certificates

The following root certificates were removed from the keystore in JDK 13:

Security Updates in JDK 11 and JDK 12

The following security updates were made in JDK 11 and JDK 12:

The JDK 11 release included an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446).

TLS 1.3 is the latest iteration (August 2018) of the Transport Layer Security (TLS) protocol and is enabled by default in JDK 11. This version focuses not only on speed improvements, but also updates the overall security of the protocol by emphasizing modern cryptography practices, and disallows outdated or weak crypto algorithms. (For example, RSA key exchange and plain DSA signatures are no longer allowed.)

Several features were added to the TLS 1.3 protocol to improve backwards compatibility, but there are several issues of which you need to be aware of. For details, see JEP 332.

Removal of Security Certificates

The following root certificate was removed from the keystore in JDK 12:

Removal of GTE CyberTrust Global Root

The following root certificates were removed from the truststore in JDK 11:

Products that use certificates that have been removed may no longer work. If these certificates are required, then you must configure and populate the cacerts with the missing certs. To add certs to the truststore, see keytool in Java Development Kit Tool Specifications guide.

Security Updates in JDK 9 and JDK 10

Some security-related defaults have changed, starting from JDK 9.

JCE Jurisdiction Policy File Default is Unlimited

If your application previously required the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, then you no longer need to download or install them. They are included in the JDK and are activated by default.

If your country or usage requires a more restrictive policy, the limited Java cryptographic policy files are still available.

If you have requirements that are not met by either of the policy files provided by default, then you can customize these policy files to meet your needs.

See the crypto.policy Security property in the <java-home>/conf/security/java.security file, or Cryptographic Strength Configuration in the Java Platform, Standard Edition Security Developer's Guide.

You are advised to consult your export/import control counsel or attorney to determine the exact requirements.

Create PKCS12 Keystores

We recommend that you use the PKCS12 format for your keystores. This format, which is the default keystore type, is based on the RSA PKCS12 Personal Information Exchange Syntax Standard.

See Creating a Keystore to Use with JSSE in Java Platform, Standard Edition Security Developer's Guide and keytool in Java Development Kit Tool Specifications.