1 # 2 # This is the "master security properties file". 3 # 4 # In this file, various security properties are set for use by 5 # java.security classes. This is where users can statically register 6 # Cryptography Package Providers ("providers" for short). The term 7 # "provider" refers to a package or set of packages that supply a 8 # concrete implementation of a subset of the cryptography aspects of 9 # the Java Security API. A provider may, for example, implement one or 10 # more digital signature algorithms or message digest algorithms. 11 # 12 # Each provider must implement a subclass of the Provider class. 13 # To register a provider in this master security properties file, 14 # specify the Provider subclass name and priority in the format 15 # 16 # security.provider.<n>=<className> 17 # 18 # This declares a provider, and specifies its preference 19 # order n. The preference order is the order in which providers are 20 # searched for requested algorithms (when no specific provider is 21 # requested). The order is 1-based; 1 is the most preferred, followed 22 # by 2, and so on. 23 # 24 # <className> must specify the subclass of the Provider class whose 25 # constructor sets the values of various properties that are required 26 # for the Java Security API to look up the algorithms or other 27 # facilities implemented by the provider. 28 # 29 # There must be at least one provider specification in java.security. 30 # There is a default provider that comes standard with the JDK. It 31 # is called the "SUN" provider, and its Provider subclass 32 # named Sun appears in the sun.security.provider package. Thus, the 33 # "SUN" provider is registered via the following: 34 # 35 # security.provider.1=sun.security.provider.Sun 36 # 37 # (The number 1 is used for the default provider.) 38 # 39 # Note: Providers can be dynamically registered instead by calls to 40 # either the addProvider or insertProviderAt method in the Security 41 # class. 42 43 # 44 # List of providers and their preference orders (see above): 45 # 46 security.provider.1=sun.security.provider.Sun 47 security.provider.2=sun.security.rsa.SunRsaSign 48 security.provider.3=com.sun.net.ssl.internal.ssl.Provider 49 security.provider.4=com.sun.crypto.provider.SunJCE 50 security.provider.5=sun.security.jgss.SunProvider 51 security.provider.6=com.sun.security.sasl.Provider 52 security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI 53 security.provider.8=sun.security.smartcardio.SunPCSC 54 55 # 56 # Select the source of seed data for SecureRandom. By default an 57 # attempt is made to use the entropy gathering device specified by 58 # the securerandom.source property. If an exception occurs when 59 # accessing the URL then the traditional system/thread activity 60 # algorithm is used. 61 # 62 # On Solaris and Linux systems, if file:/dev/urandom is specified and it 63 # exists, a special SecureRandom implementation is activated by default. 64 # This "NativePRNG" reads random bytes directly from /dev/urandom. 65 # 66 # On Windows systems, the URLs file:/dev/random and file:/dev/urandom 67 # enables use of the Microsoft CryptoAPI seed functionality. 68 # 69 securerandom.source=file:/dev/urandom 70 # 71 # The entropy gathering device is described as a URL and can also 72 # be specified with the system property "java.security.egd". For example, 73 # -Djava.security.egd=file:/dev/urandom 74 # Specifying this system property will override the securerandom.source 75 # setting. 76 77 # 78 # Class to instantiate as the javax.security.auth.login.Configuration 79 # provider. 80 # 81 login.configuration.provider=com.sun.security.auth.login.ConfigFile 82 83 # 84 # Default login configuration file 85 # 86 #login.config.url.1=file:${user.home}/.java.login.config 87 88 # 89 # Class to instantiate as the system Policy. This is the name of the class 90 # that will be used as the Policy object. 91 # 92 policy.provider=sun.security.provider.PolicyFile 93 94 # The default is to have a single system-wide policy file, 95 # and a policy file in the user's home directory. 96 policy.url.1=file:${java.home}/lib/security/java.policy 97 policy.url.2=file:${user.home}/.java.policy 98 99 # whether or not we expand properties in the policy file 100 # if this is set to false, properties (${...}) will not be expanded in policy 101 # files. 102 policy.expandProperties=true 103 104 # whether or not we allow an extra policy to be passed on the command line 105 # with -Djava.security.policy=somefile. Comment out this line to disable 106 # this feature. 107 policy.allowSystemProperty=true 108 109 # whether or not we look into the IdentityScope for trusted Identities 110 # when encountering a 1.1 signed JAR file. If the identity is found 111 # and is trusted, we grant it AllPermission. 112 policy.ignoreIdentityScope=false 113 114 # 115 # Default keystore type. 116 # 117 keystore.type=jks 118 119 # 120 # Class to instantiate as the system scope: 121 # 122 system.scope=sun.security.provider.IdentityDatabase 123 124 # 125 # List of comma-separated packages that start with or equal this string 126 # will cause a security exception to be thrown when 127 # passed to checkPackageAccess unless the 128 # corresponding RuntimePermission ("accessClassInPackage."+package) has 129 # been granted. 130 package.access=sun.,\ 131 com.sun.xml.internal.,\ 132 com.sun.imageio.,\ 133 com.sun.istack.internal.,\ 134 com.sun.jmx.,\ 135 com.sun.proxy.,\ 136 com.sun.corba.se.,\ 137 com.sun.script.,\ 138 com.sun.org.apache.bcel.internal.,\ 139 com.sun.org.apache.regexp.internal.,\ 140 com.sun.org.apache.xerces.internal.,\ 141 com.sun.org.apache.xpath.internal.,\ 142 com.sun.org.apache.xalan.internal.extensions.,\ 143 com.sun.org.apache.xalan.internal.lib.,\ 144 com.sun.org.apache.xalan.internal.res.,\ 145 com.sun.org.apache.xalan.internal.templates.,\ 146 com.sun.org.apache.xalan.internal.xslt.,\ 147 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ 148 com.sun.org.apache.xalan.internal.xsltc.compiler.,\ 149 com.sun.org.apache.xalan.internal.xsltc.trax.,\ 150 com.sun.org.apache.xalan.internal.xsltc.util.,\ 151 com.sun.org.apache.xml.internal.res.,\ 152 com.sun.org.apache.xml.internal.serializer.utils.,\ 153 com.sun.org.apache.xml.internal.utils.,\ 154 com.sun.org.apache.xml.internal.security.,\ 155 com.sun.org.glassfish.,\ 156 com.sun.naming.internal.,\ 157 org.jcp.xml.dsig.internal. 158 159 # 160 # List of comma-separated packages that start with or equal this string 161 # will cause a security exception to be thrown when 162 # passed to checkPackageDefinition unless the 163 # corresponding RuntimePermission ("defineClassInPackage."+package) has 164 # been granted. 165 # 166 # by default, none of the class loaders supplied with the JDK call 167 # checkPackageDefinition. 168 # 169 package.definition=sun.,\ 170 com.sun.xml.internal.,\ 171 com.sun.imageio.,\ 172 com.sun.istack.internal.,\ 173 com.sun.jmx.,\ 174 com.sun.proxy.,\ 175 com.sun.corba.se.,\ 176 com.sun.script.,\ 177 com.sun.org.apache.bcel.internal.,\ 178 com.sun.org.apache.regexp.internal.,\ 179 com.sun.org.apache.xerces.internal.,\ 180 com.sun.org.apache.xpath.internal.,\ 181 com.sun.org.apache.xalan.internal.extensions.,\ 182 com.sun.org.apache.xalan.internal.lib.,\ 183 com.sun.org.apache.xalan.internal.res.,\ 184 com.sun.org.apache.xalan.internal.templates.,\ 185 com.sun.org.apache.xalan.internal.xslt.,\ 186 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ 187 com.sun.org.apache.xalan.internal.xsltc.compiler.,\ 188 com.sun.org.apache.xalan.internal.xsltc.trax.,\ 189 com.sun.org.apache.xalan.internal.xsltc.util.,\ 190 com.sun.org.apache.xml.internal.res.,\ 191 com.sun.org.apache.xml.internal.serializer.utils.,\ 192 com.sun.org.apache.xml.internal.utils.,\ 193 com.sun.org.apache.xml.internal.security.,\ 194 com.sun.org.glassfish.,\ 195 com.sun.naming.internal.,\ 196 org.jcp.xml.dsig.internal. 197 198 # 199 # Determines whether this properties file can be appended to 200 # or overridden on the command line via -Djava.security.properties 201 # 202 security.overridePropertiesFile=true 203 204 # 205 # Determines the default key and trust manager factory algorithms for 206 # the javax.net.ssl package. 207 # 208 ssl.KeyManagerFactory.algorithm=SunX509 209 ssl.TrustManagerFactory.algorithm=PKIX 210 211 # 212 # The Java-level namelookup cache policy for successful lookups: 213 # 214 # any negative value: caching forever 215 # any positive value: the number of seconds to cache an address for 216 # zero: do not cache 217 # 218 # default value is forever (FOREVER). For security reasons, this 219 # caching is made forever when a security manager is set. When a security 220 # manager is not set, the default behavior in this implementation 221 # is to cache for 30 seconds. 222 # 223 # NOTE: setting this to anything other than the default value can have 224 # serious security implications. Do not set it unless 225 # you are sure you are not exposed to DNS spoofing attack. 226 # 227 #networkaddress.cache.ttl=-1 228 229 # The Java-level namelookup cache policy for failed lookups: 230 # 231 # any negative value: cache forever 232 # any positive value: the number of seconds to cache negative lookup results 233 # zero: do not cache 234 # 235 # In some Microsoft Windows networking environments that employ 236 # the WINS name service in addition to DNS, name service lookups 237 # that fail may take a noticeably long time to return (approx. 5 seconds). 238 # For this reason the default caching policy is to maintain these 239 # results for 10 seconds. 240 # 241 # 242 networkaddress.cache.negative.ttl=10 243 244 # 245 # Properties to configure OCSP for certificate revocation checking 246 # 247 248 # Enable OCSP 249 # 250 # By default, OCSP is not used for certificate revocation checking. 251 # This property enables the use of OCSP when set to the value "true". 252 # 253 # NOTE: SocketPermission is required to connect to an OCSP responder. 254 # 255 # Example, 256 # ocsp.enable=true 257 258 # 259 # Location of the OCSP responder 260 # 261 # By default, the location of the OCSP responder is determined implicitly 262 # from the certificate being validated. This property explicitly specifies 263 # the location of the OCSP responder. The property is used when the 264 # Authority Information Access extension (defined in RFC 3280) is absent 265 # from the certificate or when it requires overriding. 266 # 267 # Example, 268 # ocsp.responderURL=http://ocsp.example.net:80 269 270 # 271 # Subject name of the OCSP responder's certificate 272 # 273 # By default, the certificate of the OCSP responder is that of the issuer 274 # of the certificate being validated. This property identifies the certificate 275 # of the OCSP responder when the default does not apply. Its value is a string 276 # distinguished name (defined in RFC 2253) which identifies a certificate in 277 # the set of certificates supplied during cert path validation. In cases where 278 # the subject name alone is not sufficient to uniquely identify the certificate 279 # then both the "ocsp.responderCertIssuerName" and 280 # "ocsp.responderCertSerialNumber" properties must be used instead. When this 281 # property is set then those two properties are ignored. 282 # 283 # Example, 284 # ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp" 285 286 # 287 # Default ephemeral port ranges (operating system specific) 288 # used by java.net.SocketPermission to interpret the meaning of the special 289 # port value zero, as in the following example: 290 # 291 # SocketPermission("localhost:0" , "listen"); 292 # 293 # These can be overridden by the system properties: 294 # 295 # jdk.net.ephemeralPortRange.low and 296 # jdk.net.ephemeralPortRange.high 297 # 298 # respectively. 299 # 300 network.ephemeralPortRange.low=32768 301 network.ephemeralPortRange.high=65535 302 # 303 # Issuer name of the OCSP responder's certificate 304 # 305 # By default, the certificate of the OCSP responder is that of the issuer 306 # of the certificate being validated. This property identifies the certificate 307 # of the OCSP responder when the default does not apply. Its value is a string 308 # distinguished name (defined in RFC 2253) which identifies a certificate in 309 # the set of certificates supplied during cert path validation. When this 310 # property is set then the "ocsp.responderCertSerialNumber" property must also 311 # be set. When the "ocsp.responderCertSubjectName" property is set then this 312 # property is ignored. 313 # 314 # Example, 315 # ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp" 316 317 # 318 # Serial number of the OCSP responder's certificate 319 # 320 # By default, the certificate of the OCSP responder is that of the issuer 321 # of the certificate being validated. This property identifies the certificate 322 # of the OCSP responder when the default does not apply. Its value is a string 323 # of hexadecimal digits (colon or space separators may be present) which 324 # identifies a certificate in the set of certificates supplied during cert path 325 # validation. When this property is set then the "ocsp.responderCertIssuerName" 326 # property must also be set. When the "ocsp.responderCertSubjectName" property 327 # is set then this property is ignored. 328 # 329 # Example, 330 # ocsp.responderCertSerialNumber=2A:FF:00 331 332 # 333 # Policy for failed Kerberos KDC lookups: 334 # 335 # When a KDC is unavailable (network error, service failure, etc), it is 336 # put inside a blacklist and accessed less often for future requests. The 337 # value (case-insensitive) for this policy can be: 338 # 339 # tryLast 340 # KDCs in the blacklist are always tried after those not on the list. 341 # 342 # tryLess[:max_retries,timeout] 343 # KDCs in the blacklist are still tried by their order in the configuration, 344 # but with smaller max_retries and timeout values. max_retries and timeout 345 # are optional numerical parameters (default 1 and 5000, which means once 346 # and 5 seconds). Please notes that if any of the values defined here is 347 # more than what is defined in krb5.conf, it will be ignored. 348 # 349 # Whenever a KDC is detected as available, it is removed from the blacklist. 350 # The blacklist is reset when krb5.conf is reloaded. You can add 351 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is 352 # reloaded whenever a JAAS authentication is attempted. 353 # 354 # Example, 355 # krb5.kdc.bad.policy = tryLast 356 # krb5.kdc.bad.policy = tryLess:2,2000 357 krb5.kdc.bad.policy = tryLast 358 359 # Algorithm restrictions for certification path (CertPath) processing 360 # 361 # In some environments, certain algorithms or key lengths may be undesirable 362 # for certification path building and validation. For example, "MD2" is 363 # generally no longer considered to be a secure hash algorithm. This section 364 # describes the mechanism for disabling algorithms based on algorithm name 365 # and/or key length. This includes algorithms used in certificates, as well 366 # as revocation information such as CRLs and signed OCSP Responses. 367 # 368 # The syntax of the disabled algorithm string is described as this Java 369 # BNF-style: 370 # DisabledAlgorithms: 371 # " DisabledAlgorithm { , DisabledAlgorithm } " 372 # 373 # DisabledAlgorithm: 374 # AlgorithmName [Constraint] 375 # 376 # AlgorithmName: 377 # (see below) 378 # 379 # Constraint: 380 # KeySizeConstraint 381 # 382 # KeySizeConstraint: 383 # keySize Operator DecimalInteger 384 # 385 # Operator: 386 # <= | < | == | != | >= | > 387 # 388 # DecimalInteger: 389 # DecimalDigits 390 # 391 # DecimalDigits: 392 # DecimalDigit {DecimalDigit} 393 # 394 # DecimalDigit: one of 395 # 1 2 3 4 5 6 7 8 9 0 396 # 397 # The "AlgorithmName" is the standard algorithm name of the disabled 398 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name 399 # Documentation" for information about Standard Algorithm Names. Matching 400 # is performed using a case-insensitive sub-element matching rule. (For 401 # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and 402 # "ECDSA" for signatures.) If the assertion "AlgorithmName" is a 403 # sub-element of the certificate algorithm name, the algorithm will be 404 # rejected during certification path building and validation. For example, 405 # the assertion algorithm name "DSA" will disable all certificate algorithms 406 # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion 407 # will not disable algorithms related to "ECDSA". 408 # 409 # A "Constraint" provides further guidance for the algorithm being specified. 410 # The "KeySizeConstraint" requires a key of a valid size range if the 411 # "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the 412 # key size specified in number of bits. For example, "RSA keySize <= 1024" 413 # indicates that any RSA key with key size less than or equal to 1024 bits 414 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates 415 # that any RSA key with key size less than 1024 or greater than 2048 should 416 # be disabled. Note that the "KeySizeConstraint" only makes sense to key 417 # algorithms. 418 # 419 # Note: This property is currently used by Oracle's PKIX implementation. It 420 # is not guaranteed to be examined and used by other implementations. 421 # 422 # Example: 423 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 424 # 425 # 426 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 427 428 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security 429 # (SSL/TLS) processing 430 # 431 # In some environments, certain algorithms or key lengths may be undesirable 432 # when using SSL/TLS. This section describes the mechanism for disabling 433 # algorithms during SSL/TLS security parameters negotiation, including 434 # protocol version negotiation, cipher suites selection, peer authentication 435 # and key exchange mechanisms. 436 # 437 # Disabled algorithms will not be negotiated for SSL/TLS connections, even 438 # if they are enabled explicitly in an application. 439 # 440 # For PKI-based peer authentication and key exchange mechanisms, this list 441 # of disabled algorithms will also be checked during certification path 442 # building and validation, including algorithms used in certificates, as 443 # well as revocation information such as CRLs and signed OCSP Responses. 444 # This is in addition to the jdk.certpath.disabledAlgorithms property above. 445 # 446 # See the specification of "jdk.certpath.disabledAlgorithms" for the 447 # syntax of the disabled algorithm string. 448 # 449 # Note: This property is currently used by Oracle's JSSE implementation. 450 # It is not guaranteed to be examined and used by other implementations. 451 # 452 # Example: 453 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 454 jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768 455 456 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) 457 # processing in JSSE implementation. 458 # 459 # In some environments, a certain algorithm may be undesirable but it 460 # cannot be disabled because of its use in legacy applications. Legacy 461 # algorithms may still be supported, but applications should not use them 462 # as the security strength of legacy algorithms are usually not strong enough 463 # in practice. 464 # 465 # During SSL/TLS security parameters negotiation, legacy algorithms will 466 # not be negotiated unless there are no other candidates. 467 # 468 # The syntax of the disabled algorithm string is described as this Java 469 # BNF-style: 470 # LegacyAlgorithms: 471 # " LegacyAlgorithm { , LegacyAlgorithm } " 472 # 473 # LegacyAlgorithm: 474 # AlgorithmName (standard JSSE algorithm name) 475 # 476 # See the specification of security property "jdk.certpath.disabledAlgorithms" 477 # for the syntax and description of the "AlgorithmName" notation. 478 # 479 # Per SSL/TLS specifications, cipher suites have the form: 480 # SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg 481 # or 482 # TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg 483 # 484 # For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the 485 # key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC 486 # mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest 487 # algorithm for HMAC. 488 # 489 # The LegacyAlgorithm can be one of the following standard algorithm names: 490 # 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA 491 # 2. JSSE key exchange algorithm name, e.g., RSA 492 # 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC 493 # 4. JSSE message digest algorithm name, e.g., SHA 494 # 495 # See SSL/TLS specifications and "Java Cryptography Architecture Standard 496 # Algorithm Name Documentation" for information about the algorithm names. 497 # 498 # Note: This property is currently used by Oracle's JSSE implementation. 499 # It is not guaranteed to be examined and used by other implementations. 500 # There is no guarantee the property will continue to exist or be of the 501 # same syntax in future releases. 502 # 503 # Example: 504 # jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5 505 # 506 jdk.tls.legacyAlgorithms= \ 507 K_NULL, C_NULL, M_NULL, \ 508 DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ 509 DH_RSA_EXPORT, RSA_EXPORT, \ 510 DH_anon, ECDH_anon, \ 511 RC4_128, RC4_40, DES_CBC, DES40_CBC 512 513 # The pre-defined default finite field Diffie-Hellman ephemeral (DHE) 514 # parameters for Transport Layer Security (SSL/TLS/DTLS) processing. 515 # 516 # In traditional SSL/TLS/DTLS connections where finite field DHE parameters 517 # negotiation mechanism is not used, the server offers the client group 518 # parameters, base generator g and prime modulus p, for DHE key exchange. 519 # It is recommended to use dynamic group parameters. This property defines 520 # a mechanism that allows you to specify custom group parameters. 521 # 522 # The syntax of this property string is described as this Java BNF-style: 523 # DefaultDHEParameters: 524 # DefinedDHEParameters { , DefinedDHEParameters } 525 # 526 # DefinedDHEParameters: 527 # "{" DHEPrimeModulus , DHEBaseGenerator "}" 528 # 529 # DHEPrimeModulus: 530 # HexadecimalDigits 531 # 532 # DHEBaseGenerator: 533 # HexadecimalDigits 534 # 535 # HexadecimalDigits: 536 # HexadecimalDigit { HexadecimalDigit } 537 # 538 # HexadecimalDigit: one of 539 # 0 1 2 3 4 5 6 7 8 9 A B C D E F a b c d e f 540 # 541 # Whitespace characters are ignored. 542 # 543 # The "DefinedDHEParameters" defines the custom group parameters, prime 544 # modulus p and base generator g, for a particular size of prime modulus p. 545 # The "DHEPrimeModulus" defines the hexadecimal prime modulus p, and the 546 # "DHEBaseGenerator" defines the hexadecimal base generator g of a group 547 # parameter. It is recommended to use safe primes for the custom group 548 # parameters. 549 # 550 # If this property is not defined or the value is empty, the underlying JSSE 551 # provider's default group parameter is used for each connection. 552 # 553 # If the property value does not follow the grammar, or a particular group 554 # parameter is not valid, the connection will fall back and use the 555 # underlying JSSE provider's default group parameter. 556 # 557 # Note: This property is currently used by OpenJDK's JSSE implementation. It 558 # is not guaranteed to be examined and used by other implementations. 559 # 560 # Example: 561 # jdk.tls.server.defaultDHEParameters= 562 # { \ 563 # FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \ 564 # 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \ 565 # EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \ 566 # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \ 567 # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \ 568 # FFFFFFFF FFFFFFFF, 2} 569 570 # Algorithm restrictions for signed JAR files 571 # 572 # In some environments, certain algorithms or key lengths may be undesirable 573 # for signed JAR validation. For example, "MD2" is generally no longer 574 # considered to be a secure hash algorithm. This section describes the 575 # mechanism for disabling algorithms based on algorithm name and/or key length. 576 # JARs signed with any of the disabled algorithms or key sizes will be treated 577 # as unsigned. 578 # 579 # The syntax of the disabled algorithm string is described as follows: 580 # DisabledAlgorithms: 581 # " DisabledAlgorithm { , DisabledAlgorithm } " 582 # 583 # DisabledAlgorithm: 584 # AlgorithmName [Constraint] 585 # 586 # AlgorithmName: 587 # (see below) 588 # 589 # Constraint: 590 # KeySizeConstraint 591 # 592 # KeySizeConstraint: 593 # keySize Operator KeyLength 594 # 595 # Operator: 596 # <= | < | == | != | >= | > 597 # 598 # KeyLength: 599 # Integer value of the algorithm's key length in bits 600 # 601 # Note: This property is currently used by the JDK Reference 602 # implementation. It is not guaranteed to be examined and used by other 603 # implementations. 604 # 605 jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024 606