466 #
467 # A "Constraint" provides further guidance for the algorithm being specified.
468 # The "KeySizeConstraint" requires a key of a valid size range if the
469 # "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
470 # key size specified in number of bits. For example, "RSA keySize <= 1024"
471 # indicates that any RSA key with key size less than or equal to 1024 bits
472 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
473 # that any RSA key with key size less than 1024 or greater than 2048 should
474 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
475 # algorithms.
476 #
477 # Note: This property is currently used by Oracle's PKIX implementation. It
478 # is not guaranteed to be examined and used by other implementations.
479 #
480 # Example:
481 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
482 #
483 #
484 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
485
486 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
487 # (SSL/TLS) processing
488 #
489 # In some environments, certain algorithms or key lengths may be undesirable
490 # when using SSL/TLS. This section describes the mechanism for disabling
491 # algorithms during SSL/TLS security parameters negotiation, including
492 # protocol version negotiation, cipher suites selection, peer authentication
493 # and key exchange mechanisms.
494 #
495 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
496 # if they are enabled explicitly in an application.
497 #
498 # For PKI-based peer authentication and key exchange mechanisms, this list
499 # of disabled algorithms will also be checked during certification path
500 # building and validation, including algorithms used in certificates, as
501 # well as revocation information such as CRLs and signed OCSP Responses.
502 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
503 #
504 # See the specification of "jdk.certpath.disabledAlgorithms" for the
505 # syntax of the disabled algorithm string.
607 #
608 # If this property is not defined or the value is empty, the underlying JSSE
609 # provider's default group parameter is used for each connection.
610 #
611 # If the property value does not follow the grammar, or a particular group
612 # parameter is not valid, the connection will fall back and use the
613 # underlying JSSE provider's default group parameter.
614 #
615 # Note: This property is currently used by OpenJDK's JSSE implementation. It
616 # is not guaranteed to be examined and used by other implementations.
617 #
618 # Example:
619 # jdk.tls.server.defaultDHEParameters=
620 # { \
621 # FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
622 # 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
623 # EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
624 # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
625 # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
626 # FFFFFFFF FFFFFFFF, 2}
627
628 # Algorithm restrictions for signed JAR files
629 #
630 # In some environments, certain algorithms or key lengths may be undesirable
631 # for signed JAR validation. For example, "MD2" is generally no longer
632 # considered to be a secure hash algorithm. This section describes the
633 # mechanism for disabling algorithms based on algorithm name and/or key length.
634 # JARs signed with any of the disabled algorithms or key sizes will be treated
635 # as unsigned.
636 #
637 # The syntax of the disabled algorithm string is described as follows:
638 # DisabledAlgorithms:
639 # " DisabledAlgorithm { , DisabledAlgorithm } "
640 #
641 # DisabledAlgorithm:
642 # AlgorithmName [Constraint]
643 #
644 # AlgorithmName:
645 # (see below)
646 #
647 # Constraint:
648 # KeySizeConstraint
649 #
650 # KeySizeConstraint:
651 # keySize Operator KeyLength
652 #
653 # Operator:
654 # <= | < | == | != | >= | >
655 #
656 # KeyLength:
657 # Integer value of the algorithm's key length in bits
658 #
659 # Note: This property is currently used by the JDK Reference
660 # implementation. It is not guaranteed to be examined and used by other
661 # implementations.
662 #
663 jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
|
466 #
467 # A "Constraint" provides further guidance for the algorithm being specified.
468 # The "KeySizeConstraint" requires a key of a valid size range if the
469 # "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
470 # key size specified in number of bits. For example, "RSA keySize <= 1024"
471 # indicates that any RSA key with key size less than or equal to 1024 bits
472 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
473 # that any RSA key with key size less than 1024 or greater than 2048 should
474 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
475 # algorithms.
476 #
477 # Note: This property is currently used by Oracle's PKIX implementation. It
478 # is not guaranteed to be examined and used by other implementations.
479 #
480 # Example:
481 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
482 #
483 #
484 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
485
486 # Algorithm restrictions for signed JAR files
487 #
488 # In some environments, certain algorithms or key lengths may be undesirable
489 # for signed JAR validation. For example, "MD2" is generally no longer
490 # considered to be a secure hash algorithm. This section describes the
491 # mechanism for disabling algorithms based on algorithm name and/or key length.
492 # JARs signed with any of the disabled algorithms or key sizes will be treated
493 # as unsigned.
494 #
495 # The syntax of the disabled algorithm string is described as follows:
496 # DisabledAlgorithms:
497 # " DisabledAlgorithm { , DisabledAlgorithm } "
498 #
499 # DisabledAlgorithm:
500 # AlgorithmName [Constraint]
501 #
502 # AlgorithmName:
503 # (see below)
504 #
505 # Constraint:
506 # KeySizeConstraint
507 #
508 # KeySizeConstraint:
509 # keySize Operator KeyLength
510 #
511 # Operator:
512 # <= | < | == | != | >= | >
513 #
514 # KeyLength:
515 # Integer value of the algorithm's key length in bits
516 #
517 # Note: This property is currently used by the JDK Reference
518 # implementation. It is not guaranteed to be examined and used by other
519 # implementations.
520 #
521 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
522
523 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
524 # (SSL/TLS) processing
525 #
526 # In some environments, certain algorithms or key lengths may be undesirable
527 # when using SSL/TLS. This section describes the mechanism for disabling
528 # algorithms during SSL/TLS security parameters negotiation, including
529 # protocol version negotiation, cipher suites selection, peer authentication
530 # and key exchange mechanisms.
531 #
532 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
533 # if they are enabled explicitly in an application.
534 #
535 # For PKI-based peer authentication and key exchange mechanisms, this list
536 # of disabled algorithms will also be checked during certification path
537 # building and validation, including algorithms used in certificates, as
538 # well as revocation information such as CRLs and signed OCSP Responses.
539 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
540 #
541 # See the specification of "jdk.certpath.disabledAlgorithms" for the
542 # syntax of the disabled algorithm string.
644 #
645 # If this property is not defined or the value is empty, the underlying JSSE
646 # provider's default group parameter is used for each connection.
647 #
648 # If the property value does not follow the grammar, or a particular group
649 # parameter is not valid, the connection will fall back and use the
650 # underlying JSSE provider's default group parameter.
651 #
652 # Note: This property is currently used by OpenJDK's JSSE implementation. It
653 # is not guaranteed to be examined and used by other implementations.
654 #
655 # Example:
656 # jdk.tls.server.defaultDHEParameters=
657 # { \
658 # FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
659 # 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
660 # EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
661 # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
662 # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
663 # FFFFFFFF FFFFFFFF, 2}
|