Service allocation in the provider could fail due to the lack of a permission block. This has been fixed.
JceKeyFingerPrintCalculator has been generalised for different providers by using "SHA-256" for the algorithm string.
BCJSSE: Fixed a regression in 1.74 (NullPointerException) that prevents a BCJSSE server from negotiating TLSv1.1 or earlier.
DTLS: Fixed server support for client_certificate_type extension.
Cipher.unwrap() for HQC could fail due to a miscalculation of the length of the KEM packet. This has been fixed.
There was exposure to a Java 7 method in the Java 5 to Java 8 BCTLS jar whic h could cause issues with some TLS 1.2 cipher suites running on older JVMs. This is now fixed.
Additional Features and Functionality
BCJSSE: Following OpenJDK, finalizers have been removed from SSLSocket subclasses. Applications should close sockets and not rely on garbage collection.
BCJSSE: Added support for boolean system property "jdk.tls.client.useCompatibilityMode" (default "true").
DTLS: Added server support for session resumption.
JcaPKCS10CertificationRequest will now work with EC on the OpenJDK provider.
TimeStamp generation now supports the SHA3 algorithm set.
The SPHINCS+ simple parameters are now fully supported in the BCPQC provider.
Kyber, Classic McEliece, HQC, and Bike now supported by the CRMF/CMS/CMP APIs.
Builder classes have been add for PGP ASCII Armored streams allowing CRCs and versions to now be optional.
An UnknownPacket type has been added to the PGP APIs to allow for forwards compatibility with upcoming revisions to the standard.