diff --git a/SOURCES/CheckVendor.java b/SOURCES/CheckVendor.java
new file mode 100644
index 0000000..e2101cf
--- /dev/null
+++ b/SOURCES/CheckVendor.java
@@ -0,0 +1,57 @@
+/* CheckVendor -- Check the vendor properties match specified values.
+ Copyright (C) 2020 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+/**
+ * @test
+ */
+public class CheckVendor {
+
+ public static void main(String[] args) {
+ if (args.length < 3) {
+ System.err.println("CheckVendor ");
+ System.exit(1);
+ }
+
+ String vendor = System.getProperty("java.vendor");
+ String expectedVendor = args[0];
+ String vendorURL = System.getProperty("java.vendor.url");
+ String expectedVendorURL = args[1];
+ String vendorBugURL = System.getProperty("java.vendor.url.bug");
+ String expectedVendorBugURL = args[2];
+
+ if (!expectedVendor.equals(vendor)) {
+ System.err.printf("Invalid vendor %s, expected %s\n",
+ vendor, expectedVendor);
+ System.exit(2);
+ }
+
+ if (!expectedVendorURL.equals(vendorURL)) {
+ System.err.printf("Invalid vendor URL %s, expected %s\n",
+ vendorURL, expectedVendorURL);
+ System.exit(3);
+ }
+
+ if (!expectedVendorBugURL.equals(vendorBugURL)) {
+ System.err.printf("Invalid vendor bug URL%s, expected %s\n",
+ vendorBugURL, expectedVendorBugURL);
+ System.exit(4);
+ }
+
+ System.err.printf("Vendor information verified as %s, %s, %s\n",
+ vendor, vendorURL, vendorBugURL);
+ }
+}
diff --git a/SOURCES/jdk8251117-rh1860990-pkcs11_key_length.patch b/SOURCES/jdk8251117-rh1860990-pkcs11_key_length.patch
new file mode 100644
index 0000000..727ba2d
--- /dev/null
+++ b/SOURCES/jdk8251117-rh1860990-pkcs11_key_length.patch
@@ -0,0 +1,38 @@
+# HG changeset patch
+# User mbalao
+# Date 1596572361 10800
+# Tue Aug 04 17:19:21 2020 -0300
+# Node ID d8a0513b92ee262d4e64c1e13d43e1b3f3e5c5d5
+# Parent a259b5b1bc7cc4dd0d8fa19e8bdbf96a4e76224f
+8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher
+Reviewed-by: valeriep
+Contributed-by: zzambers@redhat.com
+
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
+@@ -279,7 +279,9 @@
+ SecureRandom sr)
+ throws InvalidKeyException, InvalidAlgorithmParameterException {
+ reset(true);
+- if (fixedKeySize != -1 && key.getEncoded().length != fixedKeySize) {
++ if (fixedKeySize != -1 &&
++ ((key instanceof P11Key) ? ((P11Key) key).length() >> 3 :
++ key.getEncoded().length) != fixedKeySize) {
+ throw new InvalidKeyException("Key size is invalid");
+ }
+ P11Key newKey = P11SecretKeyFactory.convertKey(token, key, ALGO);
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
+@@ -345,7 +345,9 @@
+ SecureRandom random)
+ throws InvalidKeyException, InvalidAlgorithmParameterException {
+ reset(true);
+- if (fixedKeySize != -1 && key.getEncoded().length != fixedKeySize) {
++ if (fixedKeySize != -1 &&
++ ((key instanceof P11Key) ? ((P11Key) key).length() >> 3 :
++ key.getEncoded().length) != fixedKeySize) {
+ throw new InvalidKeyException("Key size is invalid");
+ }
+ switch (opmode) {
diff --git a/SOURCES/jdk8252258-rh1868406-fix_bad_vendor.patch b/SOURCES/jdk8252258-rh1868406-fix_bad_vendor.patch
new file mode 100644
index 0000000..c5a6191
--- /dev/null
+++ b/SOURCES/jdk8252258-rh1868406-fix_bad_vendor.patch
@@ -0,0 +1,12 @@
+diff --git a/make/autoconf/version-numbers b/make/autoconf/version-numbers
+--- a/make/autoconf/version-numbers
++++ b/make/autoconf/version-numbers
+@@ -43,7 +43,7 @@
+ PRODUCT_NAME=OpenJDK
+ PRODUCT_SUFFIX="Runtime Environment"
+ JDK_RC_PLATFORM_NAME=Platform
+-COMPANY_NAME=N/A
++COMPANY_NAME="Oracle Corporation"
+ HOTSPOT_VM_DISTRO="OpenJDK"
+ VENDOR_URL=https://openjdk.java.net/
+ VENDOR_URL_BUG=https://bugreport.java.com/bugreport/
diff --git a/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
new file mode 100644
index 0000000..0a76cad
--- /dev/null
+++ b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
@@ -0,0 +1,311 @@
+diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java
+--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300
+@@ -1,11 +1,13 @@
+ /*
+- * Copyright (c) 2019, Red Hat, Inc.
++ * Copyright (c) 2019, 2020, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation.
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+@@ -34,10 +36,10 @@
+ import java.util.Iterator;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+-import java.util.function.Consumer;
+-import java.util.regex.Matcher;
+ import java.util.regex.Pattern;
+
++import jdk.internal.misc.SharedSecrets;
++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
+ import sun.security.util.Debug;
+
+ /**
+@@ -47,7 +49,7 @@
+ *
+ */
+
+-class SystemConfigurator {
++final class SystemConfigurator {
+
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -61,15 +63,16 @@
+ private static final String CRYPTO_POLICIES_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/config";
+
+- private static final class SecurityProviderInfo {
+- int number;
+- String key;
+- String value;
+- SecurityProviderInfo(int number, String key, String value) {
+- this.number = number;
+- this.key = key;
+- this.value = value;
+- }
++ private static boolean systemFipsEnabled = false;
++
++ static {
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ });
+ }
+
+ /*
+@@ -128,9 +131,9 @@
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
+ props.put("keystore.type", keystoreTypeValue);
+ if (keystoreTypeValue.equals("PKCS11")) {
+- // If keystore.type is PKCS11, javax.net.ssl.keyStore
+- // must be "NONE". See JDK-8238264.
+- System.setProperty("javax.net.ssl.keyStore", "NONE");
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
+ }
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
+ // If no trustStoreType has been set, use the
+@@ -144,12 +147,13 @@
+ sdebug.println("FIPS mode default keystore.type = " +
+ keystoreTypeValue);
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
+- System.getProperty("javax.net.ssl.keyStore", ""));
++ System.getProperty("javax.net.ssl.keyStore", ""));
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
+ }
+ }
+ loadedProps = true;
++ systemFipsEnabled = true;
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
+@@ -160,13 +164,30 @@
+ return loadedProps;
+ }
+
++ /**
++ * Returns whether or not global system FIPS alignment is enabled.
++ *
++ * Value is always 'false' before java.security.Security class is
++ * initialized.
++ *
++ * Call from out of this package through SharedSecrets:
++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ * .isSystemFipsEnabled();
++ *
++ * @return a boolean value indicating whether or not global
++ * system FIPS alignment is enabled.
++ */
++ static boolean isSystemFipsEnabled() {
++ return systemFipsEnabled;
++ }
++
+ /*
+ * FIPS is enabled only if crypto-policies are set to "FIPS"
+ * and the com.redhat.fips property is true.
+ */
+ private static boolean enableFips() throws Exception {
+- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+- if (fipsEnabled) {
++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
++ if (shouldEnable) {
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java Sat Aug 01 23:16:51 2020 -0300
+@@ -0,0 +1,30 @@
++/*
++ * Copyright (c) 2020, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package jdk.internal.misc;
++
++public interface JavaSecuritySystemConfiguratorAccess {
++ boolean isSystemFipsEnabled();
++}
+diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+--- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300
+@@ -76,6 +76,7 @@
+ private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess;
+ private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
+ private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
+
+ public static JavaUtilJarAccess javaUtilJarAccess() {
+ if (javaUtilJarAccess == null) {
+@@ -361,4 +362,12 @@
+ }
+ return javaxCryptoSealedObjectAccess;
+ }
++
++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
++ javaSecuritySystemConfiguratorAccess = jssca;
++ }
++
++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ return javaSecuritySystemConfiguratorAccess;
++ }
+ }
+diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300
+@@ -31,6 +31,7 @@
+ import java.security.cert.*;
+ import java.util.*;
+ import javax.net.ssl.*;
++import jdk.internal.misc.SharedSecrets;
+ import sun.security.action.GetPropertyAction;
+ import sun.security.provider.certpath.AlgorithmChecker;
+ import sun.security.validator.Validator;
+@@ -542,20 +543,38 @@
+
+ static {
+ if (SunJSSE.isFIPS()) {
+- supportedProtocols = Arrays.asList(
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- );
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
+
+- serverDefaultProtocols = getAvailableProtocols(
+- new ProtocolVersion[] {
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- });
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ } else {
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
++
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ }
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+@@ -620,6 +639,16 @@
+
+ static ProtocolVersion[] getSupportedProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+@@ -949,6 +978,16 @@
+
+ static ProtocolVersion[] getProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[]{
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java
+--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300
+@@ -27,6 +27,8 @@
+
+ import java.security.*;
+ import java.util.*;
++
++import jdk.internal.misc.SharedSecrets;
+ import sun.security.rsa.SunRsaSignEntries;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+ import static sun.security.provider.SunEntries.createAliases;
+@@ -195,8 +197,13 @@
+ "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
+ ps("SSLContext", "TLSv1.2",
+ "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
+- ps("SSLContext", "TLSv1.3",
+- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ ps("SSLContext", "TLSv1.3",
++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++ }
+ ps("SSLContext", "TLS",
+ "sun.security.ssl.SSLContextImpl$TLSContext",
+ (isfips? null : createAliases("SSL")), null);
diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec
index d1b9b3a..b8aac10 100644
--- a/SPECS/java-11-openjdk.spec
+++ b/SPECS/java-11-openjdk.spec
@@ -250,6 +250,11 @@
%global lts_designator_zip ""
%endif
+# Define vendor information used by OpenJDK
+%global vendor "Oracle Corporation"
+%global vendor_url "https://openjdk.java.net/"
+%global vendor_bug_url "https://bugreport.java.com/bugreport/"
+
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 3.15.0
@@ -259,7 +264,7 @@
%global top_level_dir_name %{origin}
%global minorver 0
%global buildver 10
-%global rpmrelease 1
+%global rpmrelease 4
#%%global tagsuffix %%{nil}
# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit
%if %is_system_jdk
@@ -1120,6 +1125,9 @@ Source14: TestECDSA.java
# nss fips configuration file
Source15: nss.fips.cfg.in
+# Ensure vendor settings are correct
+Source16: CheckVendor.java
+
############################################
#
# RPM/distribution specific patches
@@ -1138,6 +1146,8 @@ Patch1001: rh1655466-global_crypto_and_fips.patch
Patch1002: rh1818909-fips_default_keystore_type.patch
# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
Patch1003: rh1842572-rsa_default_for_keytool.patch
+# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
+Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
#############################################
#
@@ -1165,6 +1175,20 @@ Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch
Patch7: pr3695-toggle_system_crypto_policy.patch
# S390 ambiguous log2_intptr call
Patch8: s390-8214206_fix.patch
+# JDK-8252258, RH1868406: [11u] JDK-8242154 changes the default vendor
+Patch10: jdk8252258-rh1868406-fix_bad_vendor.patch
+
+#############################################
+#
+# Patches appearing in 11.0.9
+#
+# This section includes patches which are present
+# in the listed OpenJDK 11u release and should be
+# able to be removed once that release is out
+# and used by this RPM.
+#############################################
+# JDK-8251117, RH1860990: Cannot check P11Key size in P11Cipher and P11AEADCipher
+Patch9: jdk8251117-rh1860990-pkcs11_key_length.patch
#############################################
#
@@ -1533,12 +1557,15 @@ pushd %{top_level_dir_name}
%patch6 -p1
%patch7 -p1
%patch8 -p1
+%patch9 -p1
+%patch10 -p1
popd # openjdk
%patch1000
%patch1001
%patch1002
%patch1003
+%patch1004
# Extract systemtap tapsets
%if %{with_systemtap}
@@ -1737,6 +1764,10 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev
$JAVA_HOME/bin/javac -d . %{SOURCE14}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+# Check correct vendor values have been set
+$JAVA_HOME/bin/javac -d . %{SOURCE16}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") %{vendor} %{vendor_url} %{vendor_bug_url}
+
# Check debug symbols in static libraries (smoke test)
export STATIC_LIBS_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{static_libs_image}
readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
@@ -2181,6 +2212,19 @@ end
%endif
%changelog
+* Tue Aug 25 2020 Andrew Hughes - 1:11.0.8.10-4
+- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use.
+- Resolves: rhbz#1860986
+
+* Tue Aug 25 2020 Andrew Hughes - 1:11.0.8.10-3
+- Add JDK-8252258 to return default vendor to the original value of 'Oracle Corporation'
+- Include a test in the RPM to check the build has the correct vendor information.
+- Resolves: rhbz#1868406
+
+* Tue Aug 25 2020 Andrew Hughes - 1:11.0.8.10-2
+- Backport JDK-8251117 to allow key length to be retrieved from PKCS#11 FIPS keys
+- Resolves: rhbz#1860990
+
* Sat Jul 11 2020 Andrew Hughes - 1:11.0.8.10-1
- Update to shenandoah-jdk-11.0.8+10 (GA)
- Switch to GA mode for final release.