diff --git a/.gitignore b/.gitignore
index f3e363a..a27ca58 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz
+SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.6+10.tar.xz
SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz
diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata
index f6d771b..40c5074 100644
--- a/.java-11-openjdk.metadata
+++ b/.java-11-openjdk.metadata
@@ -1,2 +1,2 @@
-1e1a7b4b1df7be1b70de37f84ccb0ded61c7e9ea SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz
+46672ad972c89177ff640feaef1a4161c43984f7 SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.6+10.tar.xz
cd8bf91753b9eb1401cfc529e78517105fc66011 SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz
diff --git a/SOURCES/jdk8236039-status_request_extension.patch b/SOURCES/jdk8236039-status_request_extension.patch
new file mode 100644
index 0000000..be7008c
--- /dev/null
+++ b/SOURCES/jdk8236039-status_request_extension.patch
@@ -0,0 +1,310 @@
+# HG changeset patch
+# User jnimeh
+# Date 1578287079 28800
+# Sun Jan 05 21:04:39 2020 -0800
+# Node ID b9d1ce20dd4b2ce34e74c8fa2d784335231abcd1
+# Parent 3782f295811625b65d57f1aef15daa10d82a58a7
+8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
+Reviewed-by: xuelei
+
+diff --git a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
+--- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
++++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -39,11 +39,7 @@
+ import javax.net.ssl.SSLProtocolException;
+ import sun.security.provider.certpath.OCSPResponse;
+ import sun.security.provider.certpath.ResponderId;
+-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST;
+-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST_V2;
+ import sun.security.ssl.SSLExtension.ExtensionConsumer;
+-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST;
+-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST_V2;
+ import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+ import sun.security.ssl.SSLHandshake.HandshakeMessage;
+ import sun.security.util.DerInputStream;
+@@ -434,8 +430,9 @@
+ } else {
+ extBuilder.append(",\n");
+ }
+- extBuilder.append(
+- "{\n" + Utilities.indent(ext.toString()) + "}");
++ extBuilder.append("{\n").
++ append(Utilities.indent(ext.toString())).
++ append("}");
+ }
+
+ extsStr = extBuilder.toString();
+@@ -552,11 +549,11 @@
+ return null;
+ }
+
+- if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
++ if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "Ignore unavailable extension: " +
+- CH_STATUS_REQUEST.name);
++ SSLExtension.CH_STATUS_REQUEST.name);
+ }
+ return null;
+ }
+@@ -568,8 +565,8 @@
+ byte[] extData = new byte[] {0x01, 0x00, 0x00, 0x00, 0x00};
+
+ // Update the context.
+- chc.handshakeExtensions.put(
+- CH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
++ chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST,
++ CertStatusRequestSpec.DEFAULT);
+
+ return extData;
+ }
+@@ -593,10 +590,10 @@
+ // The consuming happens in server side only.
+ ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+- if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
++ if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine("Ignore unavailable extension: " +
+- CH_STATUS_REQUEST.name);
++ SSLExtension.CH_STATUS_REQUEST.name);
+ }
+ return; // ignore the extension
+ }
+@@ -610,7 +607,7 @@
+ }
+
+ // Update the context.
+- shc.handshakeExtensions.put(CH_STATUS_REQUEST, spec);
++ shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST, spec);
+ if (!shc.isResumption &&
+ !shc.negotiatedProtocol.useTLS13PlusSpec()) {
+ shc.handshakeProducers.put(SSLHandshake.CERTIFICATE_STATUS.id,
+@@ -654,13 +651,12 @@
+
+ // In response to "status_request" extension request only.
+ CertStatusRequestSpec spec = (CertStatusRequestSpec)
+- shc.handshakeExtensions.get(CH_STATUS_REQUEST);
++ shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST);
+ if (spec == null) {
+ // Ignore, no status_request extension requested.
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+- SSLLogger.finest(
+- "Ignore unavailable extension: " +
+- CH_STATUS_REQUEST.name);
++ SSLLogger.finest("Ignore unavailable extension: " +
++ SSLExtension.CH_STATUS_REQUEST.name);
+ }
+
+ return null; // ignore the extension
+@@ -681,8 +677,8 @@
+ byte[] extData = new byte[0];
+
+ // Update the context.
+- shc.handshakeExtensions.put(
+- SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
++ shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST,
++ CertStatusRequestSpec.DEFAULT);
+
+ return extData;
+ }
+@@ -708,7 +704,7 @@
+
+ // In response to "status_request" extension request only.
+ CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec)
+- chc.handshakeExtensions.get(CH_STATUS_REQUEST);
++ chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST);
+ if (requestedCsr == null) {
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unexpected status_request extension in ServerHello");
+@@ -722,8 +718,8 @@
+ }
+
+ // Update the context.
+- chc.handshakeExtensions.put(
+- SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
++ chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST,
++ CertStatusRequestSpec.DEFAULT);
+
+ // Since we've received a legitimate status_request in the
+ // ServerHello, stapling is active if it's been enabled.
+@@ -909,7 +905,7 @@
+ return null;
+ }
+
+- if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
++ if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.finest(
+ "Ignore unavailable status_request_v2 extension");
+@@ -926,8 +922,8 @@
+ 0x00, 0x07, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00};
+
+ // Update the context.
+- chc.handshakeExtensions.put(
+- CH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
++ chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2,
++ CertStatusRequestV2Spec.DEFAULT);
+
+ return extData;
+ }
+@@ -951,7 +947,7 @@
+ // The consuming happens in server side only.
+ ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+- if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
++ if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.finest(
+ "Ignore unavailable status_request_v2 extension");
+@@ -969,7 +965,8 @@
+ }
+
+ // Update the context.
+- shc.handshakeExtensions.put(CH_STATUS_REQUEST_V2, spec);
++ shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2,
++ spec);
+ if (!shc.isResumption) {
+ shc.handshakeProducers.putIfAbsent(
+ SSLHandshake.CERTIFICATE_STATUS.id,
+@@ -1013,7 +1010,7 @@
+
+ // In response to "status_request_v2" extension request only
+ CertStatusRequestV2Spec spec = (CertStatusRequestV2Spec)
+- shc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
++ shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2);
+ if (spec == null) {
+ // Ignore, no status_request_v2 extension requested.
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+@@ -1038,8 +1035,8 @@
+ byte[] extData = new byte[0];
+
+ // Update the context.
+- shc.handshakeExtensions.put(
+- SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
++ shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2,
++ CertStatusRequestV2Spec.DEFAULT);
+
+ return extData;
+ }
+@@ -1065,7 +1062,7 @@
+
+ // In response to "status_request" extension request only
+ CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec)
+- chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
++ chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2);
+ if (requestedCsr == null) {
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unexpected status_request_v2 extension in ServerHello");
+@@ -1079,8 +1076,8 @@
+ }
+
+ // Update the context.
+- chc.handshakeExtensions.put(
+- SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
++ chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2,
++ CertStatusRequestV2Spec.DEFAULT);
+
+ // Since we've received a legitimate status_request in the
+ // ServerHello, stapling is active if it's been enabled. If it
+diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
+--- a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
++++ b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -113,7 +113,6 @@
+ null,
+ null,
+ CertStatusExtension.certStatusReqStringizer),
+-
+ CR_STATUS_REQUEST (0x0005, "status_request"),
+ CT_STATUS_REQUEST (0x0005, "status_request",
+ SSLHandshake.CERTIFICATE,
+@@ -124,6 +123,7 @@
+ null,
+ null,
+ CertStatusExtension.certStatusRespStringizer),
++
+ // extensions defined in RFC 4681
+ USER_MAPPING (0x0006, "user_mapping"),
+
+@@ -515,6 +515,16 @@
+ return null;
+ }
+
++ static String nameOf(int extensionType) {
++ for (SSLExtension ext : SSLExtension.values()) {
++ if (ext.id == extensionType) {
++ return ext.name;
++ }
++ }
++
++ return "unknown extension";
++ }
++
+ static boolean isConsumable(int extensionType) {
+ for (SSLExtension ext : SSLExtension.values()) {
+ if (ext.id == extensionType &&
+diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
+--- a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
++++ b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2018, 2020 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -86,11 +86,14 @@
+ "Received buggy supported_groups extension " +
+ "in the ServerHello handshake message");
+ }
+- } else {
++ } else if (handshakeType == SSLHandshake.SERVER_HELLO) {
+ throw hm.handshakeContext.conContext.fatal(
+- Alert.UNSUPPORTED_EXTENSION,
+- "extension (" + extId +
+- ") should not be presented in " + handshakeType.name);
++ Alert.UNSUPPORTED_EXTENSION, "extension (" +
++ extId + ") should not be presented in " +
++ handshakeType.name);
++ } else {
++ isSupported = false;
++ // debug log to ignore unknown extension for handshakeType
+ }
+ }
+
+@@ -365,9 +368,10 @@
+ }
+
+ private static String toString(int extId, byte[] extData) {
++ String extName = SSLExtension.nameOf(extId);
+ MessageFormat messageFormat = new MessageFormat(
+- "\"unknown extension ({0})\": '{'\n" +
+- "{1}\n" +
++ "\"{0} ({1})\": '{'\n" +
++ "{2}\n" +
+ "'}'",
+ Locale.ENGLISH);
+
+@@ -375,6 +379,7 @@
+ String encoded = hexEncoder.encodeBuffer(extData);
+
+ Object[] messageFields = {
++ extName,
+ extId,
+ Utilities.indent(encoded)
+ };
diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec
index 1f92524..826bf25 100644
--- a/SPECS/java-11-openjdk.spec
+++ b/SPECS/java-11-openjdk.spec
@@ -188,7 +188,7 @@
# New Version-String scheme-style defines
%global majorver 11
-%global securityver 5
+%global securityver 6
# buildjdkver is usually same as %%{majorver},
# but in time of bootstrap of next jdk, it is majorver-1,
# and this it is better to change it here, on single place
@@ -211,7 +211,7 @@
%global top_level_dir_name %{origin}
%global minorver 0
%global buildver 10
-%global rpmrelease 0
+%global rpmrelease 1
#%%global tagsuffix %{nil}
# priority must be 7 digits in total
# setting to 1, so debug ones can have 0
@@ -395,6 +395,7 @@ alternatives \\
--slave %{_bindir}/jdb jdb %{sdkbindir %%1}/jdb \\
--slave %{_bindir}/jdeps jdeps %{sdkbindir %%1}/jdeps \\
--slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir %%1}/jdeprscan \\
+ --slave %{_bindir}/jfr jfr %{sdkbindir %%1}/jfr \\
--slave %{_bindir}/jimage jimage %{sdkbindir %%1}/jimage \\
--slave %{_bindir}/jinfo jinfo %{sdkbindir %%1}/jinfo \\
--slave %{_bindir}/jmap jmap %{sdkbindir %%1}/jmap \\
@@ -644,6 +645,7 @@ exit 0
%{_jvmdir}/%{sdkdir %%1}/bin/jdb
%{_jvmdir}/%{sdkdir %%1}/bin/jdeps
%{_jvmdir}/%{sdkdir %%1}/bin/jdeprscan
+%{_jvmdir}/%{sdkdir %%1}/bin/jfr
%{_jvmdir}/%{sdkdir %%1}/bin/jimage
# Zero and S390x don't have SA
%ifarch %{jit_arches}
@@ -960,6 +962,8 @@ Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch
Patch7: jdk8009550-rh910107-search_for_versioned_libpcsclite.patch
# S390 ambiguous log2_intptr call
Patch8: s390-8214206_fix.patch
+# JDK-8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
+Patch9: jdk8236039-status_request_extension.patch
#############################################
#
@@ -980,13 +984,6 @@ BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: gcc-c++
BuildRequires: gdb
-%ifarch %{arm}
-BuildRequires: devtoolset-7-build
-BuildRequires: devtoolset-7-binutils
-BuildRequires: devtoolset-7-gcc
-BuildRequires: devtoolset-7-gcc-c++
-BuildRequires: devtoolset-7-gdb
-%endif
BuildRequires: gtk2-devel
# LCMS on rhel7 is older then LCMS in intree JDK
BuildRequires: lcms2-devel
@@ -1240,6 +1237,7 @@ pushd %{top_level_dir_name}
%patch6 -p1
%patch7 -p1
%patch8 -p1
+%patch9 -p1
popd # openjdk
%patch1000
@@ -1290,10 +1288,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
%build
-%ifarch %{arm}
-%{?enable_devtoolset7:%{enable_devtoolset7}}
-%endif
-
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -1793,6 +1787,21 @@ require "copy_jdk_configs.lua"
%endif
%changelog
+* Sat Jan 11 2020 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.6.10-1
+- Add JDK-8236039 backport to resolve OpenShift blocker
+- Resolves: rhbz#1785753
+
+* Thu Jan 09 2020 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.6.10-0
+- Update to shenandoah-jdk-11.0.6+10 (GA)
+- Switch to GA mode for final release.
+- Resolves: rhbz#1785753
+
+* Thu Dec 19 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.6.1-0.1.ea
+- Update to shenandoah-jdk-11.0.6+1 (EA)
+- Switch to EA mode for 11.0.6 pre-release builds.
+- Add support for jfr binary.
+- Resolves: rhbz#1785753
+
* Wed Oct 09 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.5.10-0
- Update to shenandoah-jdk-11.0.5+10 (GA)
- Switch to GA mode for final release.