1 # 2 # This is the "master security properties file". 3 # 4 # An alternate java.security properties file may be specified 5 # from the command line via the system property 6 # 7 # -Djava.security.properties=<URL> 8 # 9 # This properties file appends to the master security properties file. 10 # If both properties files specify values for the same key, the value 11 # from the command-line properties file is selected, as it is the last 12 # one loaded. 13 # 14 # Also, if you specify 15 # 16 # -Djava.security.properties==<URL> (2 equals), 17 # 18 # then that properties file completely overrides the master security 19 # properties file. 20 # 21 # To disable the ability to specify an additional properties file from 22 # the command line, set the key security.overridePropertiesFile 23 # to false in the master security properties file. It is set to true 24 # by default. 25 26 # In this file, various security properties are set for use by 27 # java.security classes. This is where users can statically register 28 # Cryptography Package Providers ("providers" for short). The term 29 # "provider" refers to a package or set of packages that supply a 30 # concrete implementation of a subset of the cryptography aspects of 31 # the Java Security API. A provider may, for example, implement one or 32 # more digital signature algorithms or message digest algorithms. 33 # 34 # Each provider must implement a subclass of the Provider class. 35 # To register a provider in this master security properties file, 36 # specify the Provider subclass name and priority in the format 37 # 38 # security.provider.<n>=<className> 39 # 40 # This declares a provider, and specifies its preference 41 # order n. The preference order is the order in which providers are 42 # searched for requested algorithms (when no specific provider is 43 # requested). The order is 1-based; 1 is the most preferred, followed 44 # by 2, and so on. 45 # 46 # <className> must specify the subclass of the Provider class whose 47 # constructor sets the values of various properties that are required 48 # for the Java Security API to look up the algorithms or other 49 # facilities implemented by the provider. 50 # 51 # There must be at least one provider specification in java.security. 52 # There is a default provider that comes standard with the JDK. It 53 # is called the "SUN" provider, and its Provider subclass 54 # named Sun appears in the sun.security.provider package. Thus, the 55 # "SUN" provider is registered via the following: 56 # 57 # security.provider.1=sun.security.provider.Sun 58 # 59 # (The number 1 is used for the default provider.) 60 # 61 # Note: Providers can be dynamically registered instead by calls to 62 # either the addProvider or insertProviderAt method in the Security 63 # class. 64 65 # 66 # List of providers and their preference orders (see above): 67 # 68 #ifdef solaris 69 security.provider.tbd=OracleUcrypto 70 security.provider.tbd=SunPKCS11 ${java.home}/conf/security/sunpkcs11-solaris.cfg 71 #endif 72 security.provider.tbd=SUN 73 security.provider.tbd=SunRsaSign 74 security.provider.tbd=SunEC 75 security.provider.tbd=SunJSSE 76 security.provider.tbd=SunJCE 77 security.provider.tbd=SunJGSS 78 security.provider.tbd=SunSASL 79 security.provider.tbd=XMLDSig 80 security.provider.tbd=SunPCSC 81 security.provider.tbd=JdkLDAP 82 security.provider.tbd=JdkSASL 83 #ifdef windows 84 security.provider.tbd=SunMSCAPI 85 #endif 86 #ifdef macosx 87 security.provider.tbd=Apple 88 #endif 89 #ifndef solaris 90 security.provider.tbd=SunPKCS11 91 #endif 92 93 # 94 # A list of preferred providers for specific algorithms. These providers will 95 # be searched for matching algorithms before the list of registered providers. 96 # Entries containing errors (parsing, etc) will be ignored. Use the 97 # -Djava.security.debug=jca property to debug these errors. 98 # 99 # The property is a comma-separated list of serviceType.algorithm:provider 100 # entries. The serviceType (example: "MessageDigest") is optional, and if 101 # not specified, the algorithm applies to all service types that support it. 102 # The algorithm is the standard algorithm name or transformation. 103 # Transformations can be specified in their full standard name 104 # (ex: AES/CBC/PKCS5Padding), or as partial matches (ex: AES, AES/CBC). 105 # The provider is the name of the provider. Any provider that does not 106 # also appear in the registered list will be ignored. 107 # 108 # Example: 109 # jdk.security.provider.preferred=AES/GCM/NoPadding:SunJCE, \ 110 # MessageDigest.SHA-256:SUN 111 #ifdef solaris-sparc 112 jdk.security.provider.preferred=AES:SunJCE, SHA1:SUN, SHA-224:SUN, \ 113 SHA-256:SUN, SHA-384:SUN, SHA-512:SUN 114 #endif 115 #ifdef solaris-x86 116 jdk.security.provider.preferred=AES:SunJCE, RSA:SunRsaSign 117 #endif 118 119 120 # 121 # Sun Provider SecureRandom seed source. 122 # 123 # Select the primary source of seed data for the "SHA1PRNG" and 124 # "NativePRNG" SecureRandom implementations in the "Sun" provider. 125 # (Other SecureRandom implementations might also use this property.) 126 # 127 # On Unix-like systems (for example, Solaris/Linux/MacOS), the 128 # "NativePRNG" and "SHA1PRNG" implementations obtains seed data from 129 # special device files such as file:/dev/random. 130 # 131 # On Windows systems, specifying the URLs "file:/dev/random" or 132 # "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding 133 # mechanism for SHA1PRNG. 134 # 135 # By default, an attempt is made to use the entropy gathering device 136 # specified by the "securerandom.source" Security property. If an 137 # exception occurs while accessing the specified URL: 138 # 139 # SHA1PRNG: 140 # the traditional system/thread activity algorithm will be used. 141 # 142 # NativePRNG: 143 # a default value of /dev/random will be used. If neither 144 # are available, the implementation will be disabled. 145 # "file" is the only currently supported protocol type. 146 # 147 # The entropy gathering device can also be specified with the System 148 # property "java.security.egd". For example: 149 # 150 # % java -Djava.security.egd=file:/dev/random MainClass 151 # 152 # Specifying this System property will override the 153 # "securerandom.source" Security property. 154 # 155 # In addition, if "file:/dev/random" or "file:/dev/urandom" is 156 # specified, the "NativePRNG" implementation will be more preferred than 157 # SHA1PRNG in the Sun provider. 158 # 159 securerandom.source=file:/dev/random 160 161 # 162 # A list of known strong SecureRandom implementations. 163 # 164 # To help guide applications in selecting a suitable strong 165 # java.security.SecureRandom implementation, Java distributions should 166 # indicate a list of known strong implementations using the property. 167 # 168 # This is a comma-separated list of algorithm and/or algorithm:provider 169 # entries. 170 # 171 #ifdef windows 172 securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,SHA1PRNG:SUN 173 #endif 174 #ifndef windows 175 securerandom.strongAlgorithms=NativePRNGBlocking:SUN 176 #endif 177 178 # 179 # Class to instantiate as the javax.security.auth.login.Configuration 180 # provider. 181 # 182 login.configuration.provider=sun.security.provider.ConfigFile 183 184 # 185 # Default login configuration file 186 # 187 #login.config.url.1=file:${user.home}/.java.login.config 188 189 # 190 # Class to instantiate as the system Policy. This is the name of the class 191 # that will be used as the Policy object. The system class loader is used to 192 # locate this class. 193 # 194 policy.provider=sun.security.provider.PolicyFile 195 196 # The default is to have a single system-wide policy file, 197 # and a policy file in the user's home directory. 198 policy.url.1=file:${java.home}/conf/security/java.policy 199 policy.url.2=file:${user.home}/.java.policy 200 201 # whether or not we expand properties in the policy file 202 # if this is set to false, properties (${...}) will not be expanded in policy 203 # files. 204 policy.expandProperties=true 205 206 # whether or not we allow an extra policy to be passed on the command line 207 # with -Djava.security.policy=somefile. Comment out this line to disable 208 # this feature. 209 policy.allowSystemProperty=true 210 211 # whether or not we look into the IdentityScope for trusted Identities 212 # when encountering a 1.1 signed JAR file. If the identity is found 213 # and is trusted, we grant it AllPermission. Note: the default policy 214 # provider (sun.security.provider.PolicyFile) does not support this property. 215 policy.ignoreIdentityScope=false 216 217 # 218 # Default keystore type. 219 # 220 keystore.type=pkcs12 221 222 # 223 # Controls compatibility mode for JKS and PKCS12 keystore types. 224 # 225 # When set to 'true', both JKS and PKCS12 keystore types support loading 226 # keystore files in either JKS or PKCS12 format. When set to 'false' the 227 # JKS keystore type supports loading only JKS keystore files and the PKCS12 228 # keystore type supports loading only PKCS12 keystore files. 229 # 230 keystore.type.compat=true 231 232 # 233 # List of comma-separated packages that start with or equal this string 234 # will cause a security exception to be thrown when 235 # passed to checkPackageAccess unless the 236 # corresponding RuntimePermission ("accessClassInPackage."+package) has 237 # been granted. 238 package.access=sun.,\ 239 com.sun.xml.internal.,\ 240 com.sun.imageio.,\ 241 com.sun.istack.internal.,\ 242 com.sun.jmx.,\ 243 com.sun.media.sound.,\ 244 com.sun.naming.internal.,\ 245 com.sun.proxy.,\ 246 com.sun.corba.se.,\ 247 com.sun.org.apache.bcel.internal.,\ 248 com.sun.org.apache.regexp.internal.,\ 249 com.sun.org.apache.xerces.internal.,\ 250 com.sun.org.apache.xpath.internal.,\ 251 com.sun.org.apache.xalan.internal.extensions.,\ 252 com.sun.org.apache.xalan.internal.lib.,\ 253 com.sun.org.apache.xalan.internal.res.,\ 254 com.sun.org.apache.xalan.internal.templates.,\ 255 com.sun.org.apache.xalan.internal.utils.,\ 256 com.sun.org.apache.xalan.internal.xslt.,\ 257 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ 258 com.sun.org.apache.xalan.internal.xsltc.compiler.,\ 259 com.sun.org.apache.xalan.internal.xsltc.trax.,\ 260 com.sun.org.apache.xalan.internal.xsltc.util.,\ 261 com.sun.org.apache.xml.internal.res.,\ 262 com.sun.org.apache.xml.internal.security.,\ 263 com.sun.org.apache.xml.internal.serializer.dom3.,\ 264 com.sun.org.apache.xml.internal.serializer.utils.,\ 265 com.sun.org.apache.xml.internal.utils.,\ 266 com.sun.org.glassfish.,\ 267 com.sun.tools.script.,\ 268 com.oracle.xmlns.internal.,\ 269 com.oracle.webservices.internal.,\ 270 org.jcp.xml.dsig.internal.,\ 271 jdk.internal.,\ 272 jdk.nashorn.internal.,\ 273 jdk.nashorn.tools.,\ 274 jdk.tools.jimage.,\ 275 com.sun.activation.registries.,\ 276 com.sun.java.accessibility.util.internal.,\ 277 #ifdef windows 278 com.sun.java.accessibility.internal.,\ 279 #endif 280 #ifdef macosx 281 apple.,\ 282 #endif 283 284 # 285 # List of comma-separated packages that start with or equal this string 286 # will cause a security exception to be thrown when 287 # passed to checkPackageDefinition unless the 288 # corresponding RuntimePermission ("defineClassInPackage."+package) has 289 # been granted. 290 # 291 # by default, none of the class loaders supplied with the JDK call 292 # checkPackageDefinition. 293 # 294 package.definition=sun.,\ 295 com.sun.xml.internal.,\ 296 com.sun.imageio.,\ 297 com.sun.istack.internal.,\ 298 com.sun.jmx.,\ 299 com.sun.media.sound.,\ 300 com.sun.naming.internal.,\ 301 com.sun.proxy.,\ 302 com.sun.corba.se.,\ 303 com.sun.org.apache.bcel.internal.,\ 304 com.sun.org.apache.regexp.internal.,\ 305 com.sun.org.apache.xerces.internal.,\ 306 com.sun.org.apache.xpath.internal.,\ 307 com.sun.org.apache.xalan.internal.extensions.,\ 308 com.sun.org.apache.xalan.internal.lib.,\ 309 com.sun.org.apache.xalan.internal.res.,\ 310 com.sun.org.apache.xalan.internal.templates.,\ 311 com.sun.org.apache.xalan.internal.utils.,\ 312 com.sun.org.apache.xalan.internal.xslt.,\ 313 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ 314 com.sun.org.apache.xalan.internal.xsltc.compiler.,\ 315 com.sun.org.apache.xalan.internal.xsltc.trax.,\ 316 com.sun.org.apache.xalan.internal.xsltc.util.,\ 317 com.sun.org.apache.xml.internal.res.,\ 318 com.sun.org.apache.xml.internal.security.,\ 319 com.sun.org.apache.xml.internal.serializer.dom3.,\ 320 com.sun.org.apache.xml.internal.serializer.utils.,\ 321 com.sun.org.apache.xml.internal.utils.,\ 322 com.sun.org.glassfish.,\ 323 com.sun.tools.script.,\ 324 com.oracle.xmlns.internal.,\ 325 com.oracle.webservices.internal.,\ 326 org.jcp.xml.dsig.internal.,\ 327 jdk.internal.,\ 328 jdk.nashorn.internal.,\ 329 jdk.nashorn.tools.,\ 330 jdk.tools.jimage.,\ 331 com.sun.activation.registries.,\ 332 com.sun.java.accessibility.util.internal.,\ 333 #ifdef windows 334 com.sun.java.accessibility.internal.,\ 335 #endif 336 #ifdef macosx 337 apple.,\ 338 #endif 339 340 # 341 # Determines whether this properties file can be appended to 342 # or overridden on the command line via -Djava.security.properties 343 # 344 security.overridePropertiesFile=true 345 346 # 347 # Determines the default key and trust manager factory algorithms for 348 # the javax.net.ssl package. 349 # 350 ssl.KeyManagerFactory.algorithm=SunX509 351 ssl.TrustManagerFactory.algorithm=PKIX 352 353 # 354 # The Java-level namelookup cache policy for successful lookups: 355 # 356 # any negative value: caching forever 357 # any positive value: the number of seconds to cache an address for 358 # zero: do not cache 359 # 360 # default value is forever (FOREVER). For security reasons, this 361 # caching is made forever when a security manager is set. When a security 362 # manager is not set, the default behavior in this implementation 363 # is to cache for 30 seconds. 364 # 365 # NOTE: setting this to anything other than the default value can have 366 # serious security implications. Do not set it unless 367 # you are sure you are not exposed to DNS spoofing attack. 368 # 369 #networkaddress.cache.ttl=-1 370 371 # The Java-level namelookup cache policy for failed lookups: 372 # 373 # any negative value: cache forever 374 # any positive value: the number of seconds to cache negative lookup results 375 # zero: do not cache 376 # 377 # In some Microsoft Windows networking environments that employ 378 # the WINS name service in addition to DNS, name service lookups 379 # that fail may take a noticeably long time to return (approx. 5 seconds). 380 # For this reason the default caching policy is to maintain these 381 # results for 10 seconds. 382 # 383 # 384 networkaddress.cache.negative.ttl=10 385 386 # 387 # Properties to configure OCSP for certificate revocation checking 388 # 389 390 # Enable OCSP 391 # 392 # By default, OCSP is not used for certificate revocation checking. 393 # This property enables the use of OCSP when set to the value "true". 394 # 395 # NOTE: SocketPermission is required to connect to an OCSP responder. 396 # 397 # Example, 398 # ocsp.enable=true 399 400 # 401 # Location of the OCSP responder 402 # 403 # By default, the location of the OCSP responder is determined implicitly 404 # from the certificate being validated. This property explicitly specifies 405 # the location of the OCSP responder. The property is used when the 406 # Authority Information Access extension (defined in RFC 5280) is absent 407 # from the certificate or when it requires overriding. 408 # 409 # Example, 410 # ocsp.responderURL=http://ocsp.example.net:80 411 412 # 413 # Subject name of the OCSP responder's certificate 414 # 415 # By default, the certificate of the OCSP responder is that of the issuer 416 # of the certificate being validated. This property identifies the certificate 417 # of the OCSP responder when the default does not apply. Its value is a string 418 # distinguished name (defined in RFC 2253) which identifies a certificate in 419 # the set of certificates supplied during cert path validation. In cases where 420 # the subject name alone is not sufficient to uniquely identify the certificate 421 # then both the "ocsp.responderCertIssuerName" and 422 # "ocsp.responderCertSerialNumber" properties must be used instead. When this 423 # property is set then those two properties are ignored. 424 # 425 # Example, 426 # ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp" 427 428 # 429 # Issuer name of the OCSP responder's certificate 430 # 431 # By default, the certificate of the OCSP responder is that of the issuer 432 # of the certificate being validated. This property identifies the certificate 433 # of the OCSP responder when the default does not apply. Its value is a string 434 # distinguished name (defined in RFC 2253) which identifies a certificate in 435 # the set of certificates supplied during cert path validation. When this 436 # property is set then the "ocsp.responderCertSerialNumber" property must also 437 # be set. When the "ocsp.responderCertSubjectName" property is set then this 438 # property is ignored. 439 # 440 # Example, 441 # ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp" 442 443 # 444 # Serial number of the OCSP responder's certificate 445 # 446 # By default, the certificate of the OCSP responder is that of the issuer 447 # of the certificate being validated. This property identifies the certificate 448 # of the OCSP responder when the default does not apply. Its value is a string 449 # of hexadecimal digits (colon or space separators may be present) which 450 # identifies a certificate in the set of certificates supplied during cert path 451 # validation. When this property is set then the "ocsp.responderCertIssuerName" 452 # property must also be set. When the "ocsp.responderCertSubjectName" property 453 # is set then this property is ignored. 454 # 455 # Example, 456 # ocsp.responderCertSerialNumber=2A:FF:00 457 458 # 459 # Policy for failed Kerberos KDC lookups: 460 # 461 # When a KDC is unavailable (network error, service failure, etc), it is 462 # put inside a blacklist and accessed less often for future requests. The 463 # value (case-insensitive) for this policy can be: 464 # 465 # tryLast 466 # KDCs in the blacklist are always tried after those not on the list. 467 # 468 # tryLess[:max_retries,timeout] 469 # KDCs in the blacklist are still tried by their order in the configuration, 470 # but with smaller max_retries and timeout values. max_retries and timeout 471 # are optional numerical parameters (default 1 and 5000, which means once 472 # and 5 seconds). Please notes that if any of the values defined here is 473 # more than what is defined in krb5.conf, it will be ignored. 474 # 475 # Whenever a KDC is detected as available, it is removed from the blacklist. 476 # The blacklist is reset when krb5.conf is reloaded. You can add 477 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is 478 # reloaded whenever a JAAS authentication is attempted. 479 # 480 # Example, 481 # krb5.kdc.bad.policy = tryLast 482 # krb5.kdc.bad.policy = tryLess:2,2000 483 krb5.kdc.bad.policy = tryLast 484 485 # Algorithm restrictions for certification path (CertPath) processing 486 # 487 # In some environments, certain algorithms or key lengths may be undesirable 488 # for certification path building and validation. For example, "MD2" is 489 # generally no longer considered to be a secure hash algorithm. This section 490 # describes the mechanism for disabling algorithms based on algorithm name 491 # and/or key length. This includes algorithms used in certificates, as well 492 # as revocation information such as CRLs and signed OCSP Responses. 493 # 494 # The syntax of the disabled algorithm string is described as this Java 495 # BNF-style: 496 # DisabledAlgorithms: 497 # " DisabledAlgorithm { , DisabledAlgorithm } " 498 # 499 # DisabledAlgorithm: 500 # AlgorithmName [Constraint] 501 # 502 # AlgorithmName: 503 # (see below) 504 # 505 # Constraint: 506 # KeySizeConstraint 507 # 508 # KeySizeConstraint: 509 # keySize Operator DecimalInteger 510 # 511 # Operator: 512 # <= | < | == | != | >= | > 513 # 514 # DecimalInteger: 515 # DecimalDigits 516 # 517 # DecimalDigits: 518 # DecimalDigit {DecimalDigit} 519 # 520 # DecimalDigit: one of 521 # 1 2 3 4 5 6 7 8 9 0 522 # 523 # The "AlgorithmName" is the standard algorithm name of the disabled 524 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name 525 # Documentation" for information about Standard Algorithm Names. Matching 526 # is performed using a case-insensitive sub-element matching rule. (For 527 # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and 528 # "ECDSA" for signatures.) If the assertion "AlgorithmName" is a 529 # sub-element of the certificate algorithm name, the algorithm will be 530 # rejected during certification path building and validation. For example, 531 # the assertion algorithm name "DSA" will disable all certificate algorithms 532 # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion 533 # will not disable algorithms related to "ECDSA". 534 # 535 # A "Constraint" provides further guidance for the algorithm being specified. 536 # The "KeySizeConstraint" requires a key of a valid size range if the 537 # "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the 538 # key size specified in number of bits. For example, "RSA keySize <= 1024" 539 # indicates that any RSA key with key size less than or equal to 1024 bits 540 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates 541 # that any RSA key with key size less than 1024 or greater than 2048 should 542 # be disabled. Note that the "KeySizeConstraint" only makes sense to key 543 # algorithms. 544 # 545 # Note: This property is currently used by Oracle's PKIX implementation. It 546 # is not guaranteed to be examined and used by other implementations. 547 # 548 # Example: 549 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 550 # 551 # 552 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ 553 DSA keySize < 1024 554 555 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security 556 # (SSL/TLS/DTLS) processing 557 # 558 # In some environments, certain algorithms or key lengths may be undesirable 559 # when using SSL/TLS/DTLS. This section describes the mechanism for disabling 560 # algorithms during SSL/TLS/DTLS security parameters negotiation, including 561 # protocol version negotiation, cipher suites selection, peer authentication 562 # and key exchange mechanisms. 563 # 564 # Disabled algorithms will not be negotiated for SSL/TLS connections, even 565 # if they are enabled explicitly in an application. 566 # 567 # For PKI-based peer authentication and key exchange mechanisms, this list 568 # of disabled algorithms will also be checked during certification path 569 # building and validation, including algorithms used in certificates, as 570 # well as revocation information such as CRLs and signed OCSP Responses. 571 # This is in addition to the jdk.certpath.disabledAlgorithms property above. 572 # 573 # See the specification of "jdk.certpath.disabledAlgorithms" for the 574 # syntax of the disabled algorithm string. 575 # 576 # Note: This property is currently used by Oracle's JSSE implementation. 577 # It is not guaranteed to be examined and used by other implementations. 578 # 579 # Example: 580 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 581 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024 582 583 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) 584 # processing in JSSE implementation. 585 # 586 # In some environments, a certain algorithm may be undesirable but it 587 # cannot be disabled because of its use in legacy applications. Legacy 588 # algorithms may still be supported, but applications should not use them 589 # as the security strength of legacy algorithms are usually not strong enough 590 # in practice. 591 # 592 # During SSL/TLS security parameters negotiation, legacy algorithms will 593 # not be negotiated unless there are no other candidates. 594 # 595 # The syntax of the disabled algorithm string is described as this Java 596 # BNF-style: 597 # LegacyAlgorithms: 598 # " LegacyAlgorithm { , LegacyAlgorithm } " 599 # 600 # LegacyAlgorithm: 601 # AlgorithmName (standard JSSE algorithm name) 602 # 603 # See the specification of security property "jdk.certpath.disabledAlgorithms" 604 # for the syntax and description of the "AlgorithmName" notation. 605 # 606 # Per SSL/TLS specifications, cipher suites have the form: 607 # SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg 608 # or 609 # TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg 610 # 611 # For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the 612 # key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC 613 # mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest 614 # algorithm for HMAC. 615 # 616 # The LegacyAlgorithm can be one of the following standard algorithm names: 617 # 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA 618 # 2. JSSE key exchange algorithm name, e.g., RSA 619 # 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC 620 # 4. JSSE message digest algorithm name, e.g., SHA 621 # 622 # See SSL/TLS specifications and "Java Cryptography Architecture Standard 623 # Algorithm Name Documentation" for information about the algorithm names. 624 # 625 # Note: This property is currently used by Oracle's JSSE implementation. 626 # It is not guaranteed to be examined and used by other implementations. 627 # There is no guarantee the property will continue to exist or be of the 628 # same syntax in future releases. 629 # 630 # Example: 631 # jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5 632 # 633 jdk.tls.legacyAlgorithms= \ 634 K_NULL, C_NULL, M_NULL, \ 635 DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ 636 DH_RSA_EXPORT, RSA_EXPORT, \ 637 DH_anon, ECDH_anon, \ 638 RC4_128, RC4_40, DES_CBC, DES40_CBC 639 640 # The pre-defined default finite field Diffie-Hellman ephemeral (DHE) 641 # parameters for Transport Layer Security (SSL/TLS/DTLS) processing. 642 # 643 # In traditional SSL/TLS/DTLS connections where finite field DHE parameters 644 # negotiation mechanism is not used, the server offers the client group 645 # parameters, base generator g and prime modulus p, for DHE key exchange. 646 # It is recommended to use dynamic group parameters. This property defines 647 # a mechanism that allows you to specify custom group parameters. 648 # 649 # The syntax of this property string is described as this Java BNF-style: 650 # DefaultDHEParameters: 651 # DefinedDHEParameters { , DefinedDHEParameters } 652 # 653 # DefinedDHEParameters: 654 # "{" DHEPrimeModulus , DHEBaseGenerator "}" 655 # 656 # DHEPrimeModulus: 657 # HexadecimalDigits 658 # 659 # DHEBaseGenerator: 660 # HexadecimalDigits 661 # 662 # HexadecimalDigits: 663 # HexadecimalDigit { HexadecimalDigit } 664 # 665 # HexadecimalDigit: one of 666 # 0 1 2 3 4 5 6 7 8 9 A B C D E F a b c d e f 667 # 668 # Whitespace characters are ignored. 669 # 670 # The "DefinedDHEParameters" defines the custom group parameters, prime 671 # modulus p and base generator g, for a particular size of prime modulus p. 672 # The "DHEPrimeModulus" defines the hexadecimal prime modulus p, and the 673 # "DHEBaseGenerator" defines the hexadecimal base generator g of a group 674 # parameter. It is recommended to use safe primes for the custom group 675 # parameters. 676 # 677 # If this property is not defined or the value is empty, the underlying JSSE 678 # provider's default group parameter is used for each connection. 679 # 680 # If the property value does not follow the grammar, or a particular group 681 # parameter is not valid, the connection will fall back and use the 682 # underlying JSSE provider's default group parameter. 683 # 684 # Note: This property is currently used by OpenJDK's JSSE implementation. It 685 # is not guaranteed to be examined and used by other implementations. 686 # 687 # Example: 688 # jdk.tls.server.defaultDHEParameters= 689 # { \ 690 # FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \ 691 # 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \ 692 # EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \ 693 # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \ 694 # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \ 695 # FFFFFFFF FFFFFFFF, 2}