diff --git a/.gitignore b/.gitignore
index f3e363a..27854a0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz
+SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.4+11.tar.xz
SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz
diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata
index f6d771b..c8ec3c7 100644
--- a/.java-11-openjdk.metadata
+++ b/.java-11-openjdk.metadata
@@ -1,2 +1,2 @@
-1e1a7b4b1df7be1b70de37f84ccb0ded61c7e9ea SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz
+dcc5e78329858f75342094efdccce1e87d9cb1d9 SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.4+11.tar.xz
cd8bf91753b9eb1401cfc529e78517105fc66011 SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz
diff --git a/SOURCES/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch b/SOURCES/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
deleted file mode 100644
index 999d74e..0000000
--- a/SOURCES/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
+++ /dev/null
@@ -1,434 +0,0 @@
-diff --git a/make/autoconf/jdk-options.m4 b/make/autoconf/jdk-options.m4
---- a/make/autoconf/jdk-options.m4
-+++ b/make/autoconf/jdk-options.m4
-@@ -267,9 +267,10 @@
- #
- AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC],
- [
-+ AC_REQUIRE([LIB_SETUP_MISC_LIBS])
- AC_MSG_CHECKING([if elliptic curve crypto implementation is present])
-
-- if test -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
-+ if test "x${system_nss}" = "xyes" -o -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
- ENABLE_INTREE_EC=true
- AC_MSG_RESULT([yes])
- else
-diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
---- a/make/autoconf/libraries.m4
-+++ b/make/autoconf/libraries.m4
-@@ -178,6 +178,48 @@
- AC_SUBST(LIBDL)
- LIBS="$save_LIBS"
-
-+ ###############################################################################
-+ #
-+ # Check for the NSS libraries
-+ #
-+
-+ AC_MSG_CHECKING([whether to build the Sun EC provider against the system NSS libraries])
-+
-+ # default is bundled
-+ DEFAULT_SYSTEM_NSS=no
-+
-+ AC_ARG_ENABLE([system-nss], [AS_HELP_STRING([--enable-system-nss],
-+ [build the SunEC provider using the system NSS libraries @<:@disabled@:>@])],
-+ [
-+ case "${enableval}" in
-+ yes)
-+ system_nss=yes
-+ ;;
-+ *)
-+ system_nss=no
-+ ;;
-+ esac
-+ ],
-+ [
-+ system_nss=${DEFAULT_SYSTEM_NSS}
-+ ])
-+ AC_MSG_RESULT([$system_nss])
-+
-+ if test "x${system_nss}" = "xyes"; then
-+ PKG_CHECK_MODULES(NSS_SOFTTKN, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no])
-+ PKG_CHECK_MODULES(NSS, nss >= 3.16.1, [NSS_FOUND=yes], [NSS_FOUND=no])
-+ if test "x${NSS_SOFTOKN_FOUND}" = "xyes" -a "x${NSS_FOUND}" = "xyes"; then
-+ NSS_LIBS="$NSS_SOFTOKN_LIBS $NSS_LIBS -lfreebl";
-+ USE_EXTERNAL_NSS=true
-+ else
-+ AC_MSG_ERROR([--enable-system-nss specified, but NSS not found.])
-+ fi
-+ else
-+ USE_EXTERNAL_NSS=false
-+ fi
-+ AC_SUBST(USE_EXTERNAL_NSS)
-+
-+
- # Deprecated libraries, keep the flags for backwards compatibility
- if test "x$OPENJDK_TARGET_OS" = "xwindows"; then
- BASIC_DEPRECATED_ARG_WITH([dxsdk])
-diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
---- a/make/autoconf/spec.gmk.in
-+++ b/make/autoconf/spec.gmk.in
-@@ -795,6 +795,10 @@
- # Libraries
- #
-
-+USE_EXTERNAL_NSS:=@USE_EXTERNAL_NSS@
-+NSS_LIBS:=@NSS_LIBS@
-+NSS_CFLAGS:=@NSS_CFLAGS@
-+
- USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
- LCMS_CFLAGS:=@LCMS_CFLAGS@
- LCMS_LIBS:=@LCMS_LIBS@
-diff --git a/make/lib/Lib-jdk.crypto.ec.gmk b/make/lib/Lib-jdk.crypto.ec.gmk
---- a/make/lib/Lib-jdk.crypto.ec.gmk
-+++ b/make/lib/Lib-jdk.crypto.ec.gmk
-@@ -38,6 +38,11 @@
- BUILD_LIBSUNEC_CXXFLAGS_JDKLIB := $(CXXFLAGS_JDKLIB)
- endif
-
-+ ifeq ($(USE_EXTERNAL_NSS), true)
-+ BUILD_LIBSUNEC_CFLAGS_JDKLIB += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC
-+ BUILD_LIBSUNEC_CXXFLAGS_JDKLIB += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC
-+ endif
-+
- $(eval $(call SetupJdkLibrary, BUILD_LIBSUNEC, \
- NAME := sunec, \
- TOOLCHAIN := TOOLCHAIN_LINK_CXX, \
-@@ -47,9 +52,11 @@
- CXXFLAGS := $(BUILD_LIBSUNEC_CXXFLAGS_JDKLIB), \
- DISABLED_WARNINGS_gcc := sign-compare implicit-fallthrough, \
- DISABLED_WARNINGS_microsoft := 4101 4244 4146 4018, \
-- LDFLAGS := $(LDFLAGS_JDKLIB) $(LDFLAGS_CXX_JDK), \
-+ LDFLAGS := $(subst -Xlinker --as-needed,, \
-+ $(subst -Wl$(COMMA)--as-needed,, $(LDFLAGS_JDKLIB))) $(LDFLAGS_CXX_JDK), \
- LDFLAGS_macosx := $(call SET_SHARED_LIBRARY_ORIGIN), \
- LIBS := $(LIBCXX), \
-+ LIBS_linux := -lc $(NSS_LIBS), \
- ))
-
- TARGETS += $(BUILD_LIBSUNEC)
-diff --git a/src/java.base/unix/native/include/jni_md.h b/src/java.base/unix/native/include/jni_md.h
---- a/src/java.base/unix/native/include/jni_md.h
-+++ b/src/java.base/unix/native/include/jni_md.h
-@@ -41,6 +41,11 @@
- #define JNIEXPORT
- #define JNIIMPORT
- #endif
-+#if (defined(__GNUC__)) || __has_attribute(unused)
-+ #define UNUSED(x) UNUSED_ ## x __attribute__((__unused__))
-+#else
-+ #define UNUSED(x) UNUSED_ ## x
-+#endif
-
- #define JNICALL
-
-diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
---- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-@@ -61,6 +61,7 @@
- AccessController.doPrivileged(new PrivilegedAction<Void>() {
- public Void run() {
- System.loadLibrary("sunec"); // check for native library
-+ initialize();
- return null;
- }
- });
-@@ -293,6 +294,11 @@
- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
- }
-
-+ /**
-+ * Initialize the native code.
-+ */
-+ private static native void initialize();
-+
- private void putXDHEntries() {
-
- HashMap<String, String> ATTRS = new HashMap<>(1);
-diff --git a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
---- a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
-+++ b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
-@@ -25,7 +25,11 @@
-
- #include <jni.h>
- #include "jni_util.h"
-+#ifdef SYSTEM_NSS
-+#include "ecc_impl.h"
-+#else
- #include "impl/ecc_impl.h"
-+#endif
- #include "sun_security_ec_ECDHKeyAgreement.h"
- #include "sun_security_ec_ECKeyPairGenerator.h"
- #include "sun_security_ec_ECDSASignature.h"
-@@ -33,6 +37,13 @@
- #define INVALID_PARAMETER_EXCEPTION \
- "java/security/InvalidParameterException"
- #define KEY_EXCEPTION "java/security/KeyException"
-+#define INTERNAL_ERROR "java/lang/InternalError"
-+
-+#ifdef SYSTEM_NSS
-+#define SYSTEM_UNUSED(x) UNUSED(x)
-+#else
-+#define SYSTEM_UNUSED(x) x
-+#endif
-
- extern "C" {
-
-@@ -55,8 +66,13 @@
- /*
- * Deep free of the ECParams struct
- */
--void FreeECParams(ECParams *ecparams, jboolean freeStruct)
-+void FreeECParams(ECParams *ecparams, jboolean SYSTEM_UNUSED(freeStruct))
- {
-+#ifdef SYSTEM_NSS
-+ // Needs to be freed using the matching method to the one
-+ // that allocated it. PR_TRUE means the memory is zeroed.
-+ PORT_FreeArena(ecparams->arena, PR_TRUE);
-+#else
- // Use B_FALSE to free the SECItem->data element, but not the SECItem itself
- // Use B_TRUE to free both
-
-@@ -70,6 +86,7 @@
- SECITEM_FreeItem(&ecparams->curveOID, B_FALSE);
- if (freeStruct)
- free(ecparams);
-+#endif
- }
-
- jbyteArray getEncodedBytes(JNIEnv *env, SECItem *hSECItem)
-@@ -139,7 +156,7 @@
- */
- JNIEXPORT jobjectArray
- JNICALL Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair
-- (JNIEnv *env, jclass clazz, jint keySize, jbyteArray encodedParams, jbyteArray seed)
-+ (JNIEnv *env, jclass UNUSED(clazz), jint UNUSED(keySize), jbyteArray encodedParams, jbyteArray seed)
- {
- ECPrivateKey *privKey = NULL; // contains both public and private values
- ECParams *ecparams = NULL;
-@@ -171,8 +188,17 @@
- env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
-
- // Generate the new keypair (using the supplied seed)
-+#ifdef SYSTEM_NSS
-+ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength)
-+ != SECSuccess) {
-+ ThrowException(env, KEY_EXCEPTION);
-+ goto cleanup;
-+ }
-+ if (EC_NewKey(ecparams, &privKey) != SECSuccess) {
-+#else
- if (EC_NewKey(ecparams, &privKey, (unsigned char *) pSeedBuffer,
- jSeedLength, 0) != SECSuccess) {
-+#endif
- ThrowException(env, KEY_EXCEPTION);
- goto cleanup;
- }
-@@ -219,10 +245,15 @@
- }
- if (privKey) {
- FreeECParams(&privKey->ecParams, false);
-+#ifndef SYSTEM_NSS
-+ // The entire ECPrivateKey is allocated in the arena
-+ // when using system NSS, so only the in-tree version
-+ // needs to clear these manually.
- SECITEM_FreeItem(&privKey->version, B_FALSE);
- SECITEM_FreeItem(&privKey->privateValue, B_FALSE);
- SECITEM_FreeItem(&privKey->publicValue, B_FALSE);
- free(privKey);
-+#endif
- }
-
- if (pSeedBuffer) {
-@@ -240,7 +271,7 @@
- */
- JNIEXPORT jbyteArray
- JNICALL Java_sun_security_ec_ECDSASignature_signDigest
-- (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
-+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
- {
- jbyte* pDigestBuffer = NULL;
- jint jDigestLength = env->GetArrayLength(digest);
-@@ -299,8 +330,18 @@
- env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
-
- // Sign the digest (using the supplied seed)
-+#ifdef SYSTEM_NSS
-+ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength)
-+ != SECSuccess) {
-+ ThrowException(env, KEY_EXCEPTION);
-+ goto cleanup;
-+ }
-+ if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item)
-+ != SECSuccess) {
-+#else
- if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item,
- (unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) {
-+#endif
- ThrowException(env, KEY_EXCEPTION);
- goto cleanup;
- }
-@@ -349,7 +390,7 @@
- */
- JNIEXPORT jboolean
- JNICALL Java_sun_security_ec_ECDSASignature_verifySignedDigest
-- (JNIEnv *env, jclass clazz, jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
-+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
- {
- jboolean isValid = false;
-
-@@ -406,9 +447,10 @@
-
- cleanup:
- {
-- if (params_item.data)
-+ if (params_item.data) {
- env->ReleaseByteArrayElements(encodedParams,
- (jbyte *) params_item.data, JNI_ABORT);
-+ }
-
- if (pubKey.publicValue.data)
- env->ReleaseByteArrayElements(publicKey,
-@@ -434,7 +476,7 @@
- */
- JNIEXPORT jbyteArray
- JNICALL Java_sun_security_ec_ECDHKeyAgreement_deriveKey
-- (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
-+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
- {
- jbyteArray jSecret = NULL;
- ECParams *ecparams = NULL;
-@@ -510,9 +552,10 @@
- env->ReleaseByteArrayElements(publicKey,
- (jbyte *) publicValue_item.data, JNI_ABORT);
-
-- if (params_item.data)
-+ if (params_item.data) {
- env->ReleaseByteArrayElements(encodedParams,
- (jbyte *) params_item.data, JNI_ABORT);
-+ }
-
- if (ecparams)
- FreeECParams(ecparams, true);
-@@ -521,4 +564,28 @@
- return jSecret;
- }
-
-+JNIEXPORT void
-+JNICALL Java_sun_security_ec_SunEC_initialize
-+ (JNIEnv *env, jclass UNUSED(clazz))
-+{
-+#ifdef SYSTEM_NSS
-+ if (SECOID_Init() != SECSuccess) {
-+ ThrowException(env, INTERNAL_ERROR);
-+ }
-+ if (RNG_RNGInit() != SECSuccess) {
-+ ThrowException(env, INTERNAL_ERROR);
-+ }
-+#endif
-+}
-+
-+JNIEXPORT void
-+JNICALL JNI_OnUnload
-+ (JavaVM *vm, void *reserved)
-+{
-+#ifdef SYSTEM_NSS
-+ RNG_RNGShutdown();
-+ SECOID_Shutdown();
-+#endif
-+}
-+
- } /* extern "C" */
---- a/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h 2019-01-11 00:01:25.000000000 -0500
-+++ b/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h 2019-01-14 03:52:54.145695946 -0500
-@@ -45,7 +45,19 @@
- #endif
-
- #include <sys/types.h>
-+
-+#ifdef SYSTEM_NSS
-+#include <secitem.h>
-+#include <secerr.h>
-+#include <keythi.h>
-+#ifdef LEGACY_NSS
-+#include <softoken.h>
-+#else
-+#include <blapi.h>
-+#endif
-+#else
- #include "ecl-exp.h"
-+#endif
-
- /*
- * Multi-platform definitions
-@@ -96,6 +108,7 @@
- * Various structures and definitions from NSS are here.
- */
-
-+#ifndef SYSTEM_NSS
- #ifdef _KERNEL
- #define PORT_ArenaAlloc(a, n, f) kmem_alloc((n), (f))
- #define PORT_ArenaZAlloc(a, n, f) kmem_zalloc((n), (f))
-@@ -130,9 +143,12 @@
- #define PORT_Memcpy(t, f, l) memcpy((t), (f), (l))
- #endif
-
-+#endif
-+
- #define CHECK_OK(func) if (func == NULL) goto cleanup
- #define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
-
-+#ifndef SYSTEM_NSS
- typedef enum {
- siBuffer = 0,
- siClearDataBuffer = 1,
-@@ -229,6 +245,7 @@
- SECFailure = -1,
- SECSuccess = 0
- } SECStatus;
-+#endif
-
- #ifdef _KERNEL
- #define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l))
-@@ -237,8 +254,10 @@
- This function is no longer required because the random bytes are now
- supplied by the caller. Force a failure.
- */
-+#ifndef SYSTEM_NSS
- #define RNG_GenerateGlobalRandomBytes(p,l) SECFailure
- #endif
-+#endif
- #define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup
- #define MP_TO_SEC_ERROR(err)
-
-@@ -248,11 +267,18 @@
- extern int ecc_knzero_random_generator(uint8_t *, size_t);
- extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t);
-
-+#ifdef SYSTEM_NSS
-+#define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b)
-+#define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c)
-+#define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e)
-+#else
- extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int);
-+
- extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int);
- extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *,
- int);
- extern void SECITEM_FreeItem(SECItem *, boolean_t);
-+
- /* This function has been modified to accept an array of random bytes */
- extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
- const unsigned char* random, int randomlen, int);
-@@ -263,9 +289,10 @@
- const SECItem *, int);
- extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t,
- SECItem *, int);
-+#endif
-
- #ifdef __cplusplus
- }
- #endif
-
--#endif /* _ECC_IMPL_H */
-+#endif /* _ECC_IMPL_H */
diff --git a/SOURCES/remove-intree-libraries.sh b/SOURCES/remove-intree-libraries.sh
index 4ec68b7..f3be341 100644
--- a/SOURCES/remove-intree-libraries.sh
+++ b/SOURCES/remove-intree-libraries.sh
@@ -128,10 +128,4 @@ rm -vf ${LCMS_SRC}/lcms2.h
rm -vf ${LCMS_SRC}/lcms2_internal.h
rm -vf ${LCMS_SRC}/lcms2_plugin.h
-# Get rid of in-tree SunEC until RH1656676 is implemented
-echo "Removing SunEC native code"
-mv -v src/jdk.crypto.ec/share/native/libsunec/impl/ecc_impl.h .
-rm -vrf src/jdk.crypto.ec/share/native/libsunec/impl
-mv -v ecc_impl.h src/jdk.crypto.ec/share/native/libsunec
-
diff --git a/SOURCES/rh1022017-reduce_ssl_curves.patch b/SOURCES/rh1022017-reduce_ssl_curves.patch
new file mode 100644
index 0000000..6dab416
--- /dev/null
+++ b/SOURCES/rh1022017-reduce_ssl_curves.patch
@@ -0,0 +1,66 @@
+diff --git openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
+--- openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
++++ openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
+@@ -515,50 +515,19 @@
+ }
+ } else { // default groups
+ NamedGroup[] groups;
+- if (requireFips) {
+- groups = new NamedGroup[] {
+- // only NIST curves in FIPS mode
+- NamedGroup.SECP256_R1,
+- NamedGroup.SECP384_R1,
+- NamedGroup.SECP521_R1,
+- NamedGroup.SECT283_K1,
+- NamedGroup.SECT283_R1,
+- NamedGroup.SECT409_K1,
+- NamedGroup.SECT409_R1,
+- NamedGroup.SECT571_K1,
+- NamedGroup.SECT571_R1,
++ groups = new NamedGroup[] {
++ // only NIST curves in FIPS mode
++ NamedGroup.SECP256_R1,
++ NamedGroup.SECP384_R1,
++ NamedGroup.SECP521_R1,
+
+- // FFDHE 2048
+- NamedGroup.FFDHE_2048,
+- NamedGroup.FFDHE_3072,
+- NamedGroup.FFDHE_4096,
+- NamedGroup.FFDHE_6144,
+- NamedGroup.FFDHE_8192,
+- };
+- } else {
+- groups = new NamedGroup[] {
+- // NIST curves first
+- NamedGroup.SECP256_R1,
+- NamedGroup.SECP384_R1,
+- NamedGroup.SECP521_R1,
+- NamedGroup.SECT283_K1,
+- NamedGroup.SECT283_R1,
+- NamedGroup.SECT409_K1,
+- NamedGroup.SECT409_R1,
+- NamedGroup.SECT571_K1,
+- NamedGroup.SECT571_R1,
+-
+- // non-NIST curves
+- NamedGroup.SECP256_K1,
+-
+- // FFDHE 2048
+- NamedGroup.FFDHE_2048,
+- NamedGroup.FFDHE_3072,
+- NamedGroup.FFDHE_4096,
+- NamedGroup.FFDHE_6144,
+- NamedGroup.FFDHE_8192,
+- };
+- }
++ // FFDHE 2048
++ NamedGroup.FFDHE_2048,
++ NamedGroup.FFDHE_3072,
++ NamedGroup.FFDHE_4096,
++ NamedGroup.FFDHE_6144,
++ NamedGroup.FFDHE_8192,
++ };
+
+ groupList = new ArrayList<>(groups.length);
+ for (NamedGroup group : groups) {
diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec
index d350e87..486955f 100644
--- a/SPECS/java-11-openjdk.spec
+++ b/SPECS/java-11-openjdk.spec
@@ -109,7 +109,6 @@
%endif
# if you disable both builds, then the build fails
-# Note that the debug build requires the normal build for docs
%global build_loop %{build_loop1} %{build_loop2}
# note: that order: normal_suffix debug_suffix, in case of both enabled
# is expected in one single case at the end of the build
@@ -144,14 +143,6 @@
# looks like openjdk RPM specific bug
# Always set this so the nss.cfg file is not broken
%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
-%global NSS_LIBS %(pkg-config --libs nss)
-%global NSS_CFLAGS %(pkg-config --cflags nss-softokn)
-# see https://bugzilla.redhat.com/show_bug.cgi?id=1332456
-%global NSSSOFTOKN_BUILDTIME_NUMBER %(pkg-config --modversion nss-softokn || : )
-%global NSS_BUILDTIME_NUMBER %(pkg-config --modversion nss || : )
-# this is workaround for processing of requires during srpm creation
-%global NSSSOFTOKN_BUILDTIME_VERSION %(if [ "x%{NSSSOFTOKN_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSSSOFTOKN_BUILDTIME_NUMBER}" ;fi)
-%global NSS_BUILDTIME_VERSION %(if [ "x%{NSS_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSS_BUILDTIME_NUMBER}" ;fi)
# In some cases, the arch used by the JDK does
# not match _arch.
@@ -209,7 +200,7 @@
# New Version-String scheme-style defines
%global majorver 11
-%global securityver 5
+%global securityver 4
# buildjdkver is usually same as %%{majorver},
# but in time of bootstrap of next jdk, it is majorver-1,
# and this it is better to change it here, on single place
@@ -231,8 +222,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global minorver 0
-%global buildver 10
-%global rpmrelease 0
+%global buildver 11
+%global rpmrelease 2
#%%global tagsuffix ""
# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit
%if %is_system_jdk
@@ -841,7 +832,9 @@ Requires: libXcomposite%{?_isa}
Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
# for java-X-openjdk package's desktop binding
+%if 0%{?rhel} >= 8
Recommends: gtk3%{?_isa}
+%endif
Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
@@ -866,9 +859,6 @@ Requires: javapackages-filesystem
Requires: tzdata-java >= 2015d
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
-# there is a need to depend on the exact version of NSS
-Requires: nss%{?_isa} %{NSS_BUILDTIME_VERSION}
-Requires: nss-softokn%{?_isa} %{NSSSOFTOKN_BUILDTIME_VERSION}
# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
# considered as regression
@@ -885,7 +875,9 @@ Requires(postun): %{_sbindir}/alternatives
# in version 1.7 and higher for --family switch
Requires(postun): chkconfig >= 1.7
# for optional support of kernel stream control, card reader and printing bindings
+%if 0%{?rhel} >= 8
Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa}
+%endif
# Standard JPackage base provides
Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
@@ -1052,11 +1044,13 @@ Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
# Restrict access to java-atk-wrapper classes
Patch2: rh1648644-java_access_bridge_privileged_security.patch
+# PR1834, RH1022017: Reduce curves reported by SSL to those in NSS
+# Not currently suitable to go upstream as it disables curves
+# for all providers unconditionally
+Patch525: rh1022017-reduce_ssl_curves.patch
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
-# System NSS via SunEC Provider
-Patch5: pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
#############################################
#
@@ -1093,12 +1087,11 @@ BuildRequires: cups-devel
BuildRequires: desktop-file-utils
# elfutils only are OK for build without AOT
BuildRequires: elfutils-devel
-BuildRequires: fontconfig
+BuildRequires: fontconfig-devel
BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: gcc-c++
BuildRequires: gdb
-BuildRequires: gtk3-devel
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
@@ -1106,6 +1099,8 @@ BuildRequires: libxslt
BuildRequires: libX11-devel
BuildRequires: libXi-devel
BuildRequires: libXinerama-devel
+BuildRequires: libXrandr-devel
+BuildRequires: libXrender-devel
BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirements for setting up the nss.cfg
@@ -1123,8 +1118,6 @@ BuildRequires: libffi-devel
BuildRequires: tzdata-java >= 2015d
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
-# Build requirements for SunEC system NSS support
-BuildRequires: nss-softokn-freebl-devel >= 3.16.1
%if %{with_systemtap}
BuildRequires: systemtap-sdt-devel
@@ -1269,6 +1262,7 @@ The java-%{origin}-src-slowdebug sub-package contains the complete %{origin_nice
Summary: %{origin_nice} %{majorver} API documentation
Group: Documentation
Requires: javapackages-filesystem
+Obsoletes: javadoc-debug
%{java_javadoc_rpo %{nil}}
@@ -1278,38 +1272,15 @@ The %{origin_nice} %{majorver} API documentation.
%if %{include_normal_build}
%package javadoc-zip
-Summary: %{origin_nice} %{majorver} API documentation compressed in a single archive
+Summary: %{origin_nice} %{majorver} API documentation compressed in single archive
Group: Documentation
Requires: javapackages-filesystem
+Obsoletes: javadoc-zip-debug
%{java_javadoc_rpo %{nil}}
%description javadoc-zip
-The %{origin_nice} %{majorver} API documentation compressed in a single archive.
-%endif
-
-%if %{include_debug_build}
-%package javadoc-slowdebug
-Summary: %{origin_nice} %{majorver} API documentation %{for_debug}
-Group: Documentation
-Requires: javapackages-filesystem
-
-%{java_javadoc_rpo -- %{debug_suffix_unquoted}}
-
-%description javadoc-slowdebug
-The %{origin_nice} %{majorver} API documentation %{for_debug}.
-%endif
-
-%if %{include_debug_build}
-%package javadoc-zip-slowdebug
-Summary: %{origin_nice} %{majorver} API documentation compressed in a single archive %{for_debug}
-Group: Documentation
-Requires: javapackages-filesystem
-
-%{java_javadoc_rpo -- %{debug_suffix_unquoted}}
-
-%description javadoc-zip-slowdebug
-The %{origin_nice} %{majorver} API documentation compressed in a single archive %{for_debug}.
+The %{origin_nice} %{majorver} API documentation compressed in single archive.
%endif
%prep
@@ -1329,10 +1300,6 @@ if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 ] ; then
echo "You have disabled both include_debug_build and include_normal_build. That is a no go."
exit 13
fi
-if [ %{include_normal_build} -eq 0 ] ; then
- echo "You have disabled the normal build, but this is required to provide docs for the debug build."
- exit 14
-fi
%setup -q -c -n %{uniquesuffix ""} -T -a 0
# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
prioritylength=`expr length %{priority}`
@@ -1350,10 +1317,10 @@ pushd %{top_level_dir_name}
%patch2 -p1
%patch3 -p1
%patch4 -p1
-%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
+%patch525 -p1
popd # openjdk
%patch1000
@@ -1460,7 +1427,6 @@ bash ../configure \
--with-debug-level=$debugbuild \
--with-native-debug-symbols=internal \
--enable-unlimited-crypto \
- --enable-system-nss \
--with-zlib=system \
--with-libjpeg=system \
--with-giflib=system \
@@ -1670,11 +1636,12 @@ pushd %{buildoutputdir $suffix}/images/%{jdkimage}
popd
-# Install Javadoc documentation
-# Always take docs from normal build to avoid building them twice
-install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
-cp -a %{buildoutputdir $normal_suffix}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir $suffix}
-cp -a %{buildoutputdir $normal_suffix}/bundles/jdk-%{newjavaver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip
+if ! echo $suffix | grep -q "debug" ; then
+ # Install Javadoc documentation
+ install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
+ cp -a %{buildoutputdir $suffix}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir $suffix}
+ cp -a %{buildoutputdir -- $suffix}/bundles/jdk-%{newjavaver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip
+fi
# Install icons and menu entries
for s in 16 24 32 48 ; do
@@ -1824,18 +1791,6 @@ require "copy_jdk_configs.lua"
%posttrans devel-slowdebug
%{posttrans_devel -- %{debug_suffix_unquoted}}
-%post javadoc-slowdebug
-%{post_javadoc -- %{debug_suffix_unquoted}}
-
-%postun javadoc-slowdebug
-%{postun_javadoc -- %{debug_suffix_unquoted}}
-
-%post javadoc-zip-slowdebug
-%{post_javadoc_zip -- %{debug_suffix_unquoted}}
-
-%postun javadoc-zip-slowdebug
-%{postun_javadoc_zip -- %{debug_suffix_unquoted}}
-
%endif
%if %{include_normal_build}
@@ -1896,118 +1851,110 @@ require "copy_jdk_configs.lua"
%files src-slowdebug
%{files_src -- %{debug_suffix_unquoted}}
-%files javadoc-slowdebug
-%{files_javadoc -- %{debug_suffix_unquoted}}
-
-%files javadoc-zip-slowdebug
-%{files_javadoc_zip -- %{debug_suffix_unquoted}}
-
%endif
%changelog
-* Wed Oct 09 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.5.10-0
-- Update to shenandoah-jdk-11.0.5+10 (GA)
-- Switch to GA mode for final release.
-- Remove PR1834/RH1022017 which is now handled by JDK-8228825 upstream.
-- Resolves: rhbz#1753423
-
-* Wed Oct 09 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.5.9-0.0.ea
-- Update to shenandoah-jdk-11.0.5+9 (EA)
-- Resolves: rhbz#1753423
-
-* Fri Sep 06 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.5.2-0.0.ea
-- Update to shenandoah-jdk-11.0.5+2 (EA)
-- Resolves: rhbz#1753423
-
-* Tue Aug 13 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.5.1-0.0.ea
-- Update to shenandoah-jdk-11.0.5+1 (EA)
-- Switch to EA mode for 11.0.5 pre-release builds.
-- Resolves: rhbz#1753423
+* Tue Jul 09 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.11-2
+- Drop NSS runtime dependencies and patches to link against it.
+- Resolves: rhbz#1678554
-* Tue Jul 09 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.11-0
+* Tue Jul 09 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.11-1
- Update to shenandoah-jdk-11.0.4+11 (GA)
- Switch to GA mode for final release.
- Resolves: rhbz#1724452
-* Mon Jul 08 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.10-0.0.ea
+* Mon Jul 08 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.10-0.1.ea
- Update to shenandoah-jdk-11.0.4+10 (EA)
- Resolves: rhbz#1724452
-* Mon Jul 08 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.9-0.0.ea
+* Mon Jul 08 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.9-0.1.ea
- Update to shenandoah-jdk-11.0.4+9 (EA)
- Resolves: rhbz#1724452
-* Mon Jul 08 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.8-0.0.ea
+* Mon Jul 08 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.8-0.1.ea
- Update to shenandoah-jdk-11.0.4+8 (EA)
- Resolves: rhbz#1724452
-* Sun Jul 07 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.7-0.0.ea
-- Update to shenandoah-jdk-11.0.4+7 (EA)
+* Sun Jul 07 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.4.7-0.2.ea
+- fontconfig build requirement should be fontconfig-devel, previously masked by Gtk3+ dependency
+- Resolves: rhbz#1724452
+
+* Sun Jul 07 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.4.7-0.2.ea
+- Add missing build requirement for libXrandr-devel, previously masked by Gtk3+ dependency
- Resolves: rhbz#1724452
-* Thu Jul 04 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.6-0.1.ea
-- Debug packages should be called 'slowdebug' on RHEL 8
+* Sun Jul 07 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.4.7-0.2.ea
+- Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency
- Resolves: rhbz#1724452
-* Wed Jul 03 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.6-0.0.ea
-- Provide Javadoc debug subpackages for now, but populate them from the normal build.
+* Sun Jul 07 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.4.7-0.2.ea
+- Make use of Recommends and Suggests dependent on RHEL 8+ environment.
+- Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime.
- Resolves: rhbz#1724452
-* Wed Jul 03 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.6-0.0.ea
+* Sun Jul 07 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.7-0.1.ea
+- Update to shenandoah-jdk-11.0.4+7 (EA)
+- Resolves: rhbz#1724452
+
+* Wed Jul 03 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.6-0.1.ea
+- Obsolete javadoc-debug and javadoc-debug-zip packages via javadoc and javadoc-zip respectively.
+- Resolves: rhbz#1724452
+
+* Wed Jul 03 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.6-0.1.ea
- Update to shenandoah-jdk-11.0.4+6 (EA)
- Resolves: rhbz#1724452
-* Wed Jul 03 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.5-0.0.ea
+* Wed Jul 03 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.5-0.1.ea
- Update to shenandoah-jdk-11.0.4+5 (EA)
- Resolves: rhbz#1724452
-* Tue Jul 02 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.4-0.0.ea
+* Tue Jul 02 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.4-0.1.ea
- Update to shenandoah-jdk-11.0.4+4 (EA)
- Resolves: rhbz#1724452
-* Mon Jul 01 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.3-0.0.ea
+* Mon Jul 01 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.3-0.1.ea
- Update to shenandoah-jdk-11.0.4+3 (EA)
- Resolves: rhbz#1724452
-* Sun Jun 30 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.4.2-0.0.ea
+* Sun Jun 30 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.4.2-0.1.ea
- Update to shenandoah-jdk-11.0.4+2 (EA)
- Resolves: rhbz#1724452
-* Fri Jun 21 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.4.2-0.0.ea
+* Fri Jun 21 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.4.2-0.1.ea
- Package jspawnhelper (see JDK-8220360).
- Resolves: rhbz#1724452
-* Fri Jun 21 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.3.7-4
+* Fri Jun 21 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.3.7-5
- Include 'ea' designator in Release when appropriate.
- Resolves: rhbz#1724452
-* Wed May 22 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.3.7-4
+* Wed May 22 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.3.7-5
- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately.
- Resolves: rhbz#1724452
-* Thu Apr 25 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.3.7-3
+* Thu Apr 25 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.3.7-4
- Don't build the test images needlessly.
- Don't produce javadoc/javadoc-zip sub packages for the debug variant build.
- Don't perform a bootcycle build for the debug variant build.
- Resolves: rhbz#1724452
-* Wed Apr 24 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.3.7-2
+* Wed Apr 24 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.3.7-3
- Do not generate lib-style requires for -slowdebug subpackages.
- Resolves: rhbz#1693468
-* Tue Apr 23 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.3.7-2
+* Tue Apr 23 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.3.7-3
- Fix requires/provides for the non-system JDK case. JDK 11 is not a system JDK at this point.
- Resolves: rhbz#1693468
-* Tue Apr 16 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.3.7-1
+* Tue Apr 16 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.3.7-2
- Don't package lib/client and lib/client/classes.jsa which don't exist (see RH1643469)
- Resolves: rhbz#1693468
-* Sun Apr 07 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.3.7-0
+* Sun Apr 07 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.3.7-1
- Update to shenandoah-jdk-11.0.3+7 (April 2019 GA)
- Resolves: rhbz#1693468
-* Sat Apr 06 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.3.6-0
+* Sat Apr 06 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.3.6-1
- Update to shenandoah-jdk-11.0.3+6 (April 2019 EA)
- Drop JDK-8210416/RH1632174 applied upstream.
- Drop JDK-8210425/RH1632174 applied upstream.
@@ -2017,10 +1964,13 @@ require "copy_jdk_configs.lua"
- Add cast to resolve s390 ambiguity in call to log2_intptr
- Resolves: rhbz#1693468
-* Thu Mar 21 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.2.7-3
+* Fri Apr 05 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.2.7-4
- Add patch for RH1566890
- Resolves: rhbz#1693468
+* Tue Mar 26 2019 Jiri Vanek <jvanek@redhat.com> - 1:11.0.2.7-3
+- added gating
+
* Fri Feb 08 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.2.7-2
- Add explicit requirement for libXcomposite which is used when performing
screenshots from Java.