The SHA224withDSA and SHA256withDSA algorithms are now supported in the TLS 1.2 «signature_algorithms» extension in the SunJSSE provider. Note that this extension does not apply to TLS 1.1 and previous versions. For DSA keys, the default signature algorithm for keytool and jarsigner has changed from SHA1withDSA to SHA256withDSA and the default key size for keytool has changed from 1024 bits to 2048 bits. The DSA KeyPairGenerator implementation of the SUN provider no longer implements java.security.interfaces.DSAKeyPairGenerator.
We recommend that new certificates be requested and existing provider JARs be re-signed. For details on the JCE provider signing process, please refer to the How to Implement a Provider in the Java Cryptography Architecture documentation. The JRE expires whenever a new release with security vulnerability fixes becomes available.
Product / File Description
This JRE (version 7u281) will expire with the release of the next critical patch update scheduled for January 19, 2021. It is not recommended to use this JDK (version 20.0.1) after the next critical patch update release, scheduled for July 18, 2023. Update Release Notes summarize changes made in all Java SE 7 update releases. Note that bug fixes are cumulative, that is, bug fixes in previous update versions are included in subsequent update versions. Server should not select RC4 unless there is no other stronger candidate in the client requested cipher suites.
For a more complete list of the bug fixes included in this release, see the JDK 7u251 Bug Fixes page. For a more complete list of the bug fixes included in this release, see the JDK 7u261 Bug Fixes page. For a more complete list of the bug fixes included in this release, see the JDK 7u271 Bug Fixes page.
Java 7 updates
New system and security properties have been added to enable users to customize the generation of PKCS #12 keystores. This includes algorithms and parameters for key protection, certificate protection, and MacData. The detailed explanation and possible values for these properties can be found in the «PKCS12 KeyStore properties» section of the java.security file.
RMI Registry and DGC implement built-in white-list filters for the typical classes expected to be used with each service. Additional filter patterns can be configured using either a system property or a security property. The «sun.rmi.registry.registryFilter» and «sun.rmi.transport.dgcFilter» property pattern syntax is described in JEP 290 and in /lib/security/java.security.
Java™ SE Development Kit 7, Update 341 (JDK 7u
To aid interoperability, the Java keystore type JKS now supports keystore compatibility mode by default. This mode enables JKS keystores to access both JKS and PKCS12 file formats. To disable keystore compatibility mode, set the Security property keystore.type.compat https://remotemode.net/ to the string value false. When the system property, jdk.security.useLegacyECC, is set to «true» (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to «true».
- For a more complete list of the bug fixes included in this release, see the JDK 7u241 Bug Fixes page.
- This release also contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory.
- This JRE (version 7u91) will expire with the release of the next critical patch update scheduled for January 19, 2016.
- In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
For example, to disable SHA-1 TLS Server certificate chains that are anchored by pre-installed root CAs, the constraint is «SHA1 jdkCA & usage TLSServer». If compatibility with earlier releases is important, you can, at your own risk, use the -sigalg option of jarsigner and specify the weaker SHA1withDSA algorithm. The workaround is to remove the -sigalg option and use the stronger SHA256withDSA default or, at your own risk, use the -keysize option of keytool to specify a smaller key size (1024).
As a result, the «US/Pacific-New» Zone name declared in the pacificnew data file is no longer available for use. For compatibility, a new system property named keystore.pkcs12.legacy is defined that will revert the algorithms to use the older, weaker algorithms. It has no effect on default behavior or when the com.sun.org.apache.xml.internal.security.ignoreLineBreaks property is set. This new system property sets the pool size of the internal DocumentBuilder cache used when processing XML Signatures.