< prev index next >
src/share/lib/security/java.security-macosx
Print this page
rev 14231 : 8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
Reviewed-by: mullan, xuelei, weijun
*** 453,462 ****
--- 453,478 ----
# Maximum number of AS or TGS referrals to avoid infinite loops. Value may
# be overwritten with a System property (-Dsun.security.krb5.maxReferrals).
sun.security.krb5.maxReferrals=5
#
+ # This property contains a list of disabled EC Named Curves that can be included
+ # in the jdk.[tls|certpath|jar].disabledAlgorithms properties. To include this
+ # list in any of the disabledAlgorithms properties, add the property name as
+ # an entry.
+ jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \
+ secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \
+ secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \
+ sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \
+ sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \
+ sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \
+ X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \
+ X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \
+ X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \
+ brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
+
+ #
# Algorithm restrictions for certification path (CertPath) processing
#
# In some environments, certain algorithms or key lengths may be undesirable
# for certification path building and validation. For example, "MD2" is
# generally no longer considered to be a secure hash algorithm. This section
*** 466,476 ****
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
! # AlgorithmName [Constraint] { '&' Constraint }
#
# AlgorithmName:
# (see below)
#
# Constraint:
--- 482,492 ----
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
! # AlgorithmName [Constraint] { '&' Constraint } | IncludeProperty
#
# AlgorithmName:
# (see below)
#
# Constraint:
*** 493,502 ****
--- 509,521 ----
# denyAfter YYYY-MM-DD
#
# UsageConstraint:
# usage [TLSServer] [TLSClient] [SignedJAR]
#
+ # IncludeProperty:
+ # include <security property>
+ #
# The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
# Documentation" for information about Standard Algorithm Names. Matching
# is performed using a case-insensitive sub-element matching rule. (For
# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
*** 505,514 ****
--- 524,541 ----
# rejected during certification path building and validation. For example,
# the assertion algorithm name "DSA" will disable all certificate algorithms
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA".
#
+ # The "IncludeProperty" allows a implementation-defined security property that
+ # can be included in the disabledAlgorithms properties. These properties are
+ # to help manage common actions easier across multiple disabledAlgorithm
+ # properties.
+ # There is one defined security property: jdk.disabled.NamedCurves
+ # See the property for more specific details.
+ #
+ #
# A "Constraint" defines restrictions on the keys and/or certificates for
# a specified AlgorithmName:
#
# KeySizeConstraint:
# keySize Operator KeyLength
*** 577,587 ****
# Example:
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
! RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
#
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
--- 604,615 ----
# Example:
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
! RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
! include jdk.disabled.namedCurves
#
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
*** 620,630 ****
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
! jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
--- 648,659 ----
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
! jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
! DSA keySize < 1024, include jdk.disabled.namedCurves
#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
*** 653,663 ****
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
! EC keySize < 224, 3DES_EDE_CBC, anon, NULL
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
#
# In some environments, a certain algorithm may be undesirable but it
--- 682,693 ----
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
! EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
! include jdk.disabled.namedCurves
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
#
# In some environments, a certain algorithm may be undesirable but it
< prev index next >