< prev index next >

src/share/lib/security/java.security-macosx

Print this page
rev 12009 : [mq]: 8167591-Add-MD5-to-signed-JAR-restrictions


 469 #
 470 # A "Constraint" provides further guidance for the algorithm being specified.
 471 # The "KeySizeConstraint" requires a key of a valid size range if the
 472 # "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
 473 # key size specified in number of bits.  For example, "RSA keySize <= 1024"
 474 # indicates that any RSA key with key size less than or equal to 1024 bits
 475 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
 476 # that any RSA key with key size less than 1024 or greater than 2048 should
 477 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
 478 # algorithms.
 479 #
 480 # Note: This property is currently used by Oracle's PKIX implementation. It
 481 # is not guaranteed to be examined and used by other implementations.
 482 #
 483 # Example:
 484 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 485 #
 486 #
 487 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 488 





































 489 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 490 # (SSL/TLS) processing
 491 #
 492 # In some environments, certain algorithms or key lengths may be undesirable
 493 # when using SSL/TLS.  This section describes the mechanism for disabling
 494 # algorithms during SSL/TLS security parameters negotiation, including
 495 # protocol version negotiation, cipher suites selection, peer authentication
 496 # and key exchange mechanisms.
 497 #
 498 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
 499 # if they are enabled explicitly in an application.
 500 #
 501 # For PKI-based peer authentication and key exchange mechanisms, this list
 502 # of disabled algorithms will also be checked during certification path
 503 # building and validation, including algorithms used in certificates, as
 504 # well as revocation information such as CRLs and signed OCSP Responses.
 505 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
 506 #
 507 # See the specification of "jdk.certpath.disabledAlgorithms" for the
 508 # syntax of the disabled algorithm string.


 610 #
 611 # If this property is not defined or the value is empty, the underlying JSSE
 612 # provider's default group parameter is used for each connection.
 613 #
 614 # If the property value does not follow the grammar, or a particular group
 615 # parameter is not valid, the connection will fall back and use the
 616 # underlying JSSE provider's default group parameter.
 617 #
 618 # Note: This property is currently used by OpenJDK's JSSE implementation. It
 619 # is not guaranteed to be examined and used by other implementations.
 620 #
 621 # Example:
 622 #   jdk.tls.server.defaultDHEParameters=
 623 #       { \
 624 #       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
 625 #       29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
 626 #       EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
 627 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 628 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 629 #       FFFFFFFF FFFFFFFF, 2}
 630 
 631 # Algorithm restrictions for signed JAR files
 632 #
 633 # In some environments, certain algorithms or key lengths may be undesirable
 634 # for signed JAR validation.  For example, "MD2" is generally no longer
 635 # considered to be a secure hash algorithm.  This section describes the
 636 # mechanism for disabling algorithms based on algorithm name and/or key length.
 637 # JARs signed with any of the disabled algorithms or key sizes will be treated
 638 # as unsigned.
 639 #
 640 # The syntax of the disabled algorithm string is described as follows:
 641 #   DisabledAlgorithms:
 642 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 643 #
 644 #   DisabledAlgorithm:
 645 #       AlgorithmName [Constraint]
 646 #
 647 #   AlgorithmName:
 648 #       (see below)
 649 #
 650 #   Constraint:
 651 #       KeySizeConstraint
 652 #
 653 #   KeySizeConstraint:
 654 #       keySize Operator KeyLength
 655 #
 656 #   Operator:
 657 #       <= | < | == | != | >= | >
 658 #
 659 #   KeyLength:
 660 #       Integer value of the algorithm's key length in bits
 661 #
 662 # Note: This property is currently used by the JDK Reference
 663 # implementation. It is not guaranteed to be examined and used by other
 664 # implementations.
 665 #
 666 jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024


 469 #
 470 # A "Constraint" provides further guidance for the algorithm being specified.
 471 # The "KeySizeConstraint" requires a key of a valid size range if the
 472 # "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
 473 # key size specified in number of bits.  For example, "RSA keySize <= 1024"
 474 # indicates that any RSA key with key size less than or equal to 1024 bits
 475 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
 476 # that any RSA key with key size less than 1024 or greater than 2048 should
 477 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
 478 # algorithms.
 479 #
 480 # Note: This property is currently used by Oracle's PKIX implementation. It
 481 # is not guaranteed to be examined and used by other implementations.
 482 #
 483 # Example:
 484 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 485 #
 486 #
 487 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 488 
 489 # Algorithm restrictions for signed JAR files
 490 #
 491 # In some environments, certain algorithms or key lengths may be undesirable
 492 # for signed JAR validation.  For example, "MD2" is generally no longer
 493 # considered to be a secure hash algorithm.  This section describes the
 494 # mechanism for disabling algorithms based on algorithm name and/or key length.
 495 # JARs signed with any of the disabled algorithms or key sizes will be treated
 496 # as unsigned.
 497 #
 498 # The syntax of the disabled algorithm string is described as follows:
 499 #   DisabledAlgorithms:
 500 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 501 #
 502 #   DisabledAlgorithm:
 503 #       AlgorithmName [Constraint]
 504 #
 505 #   AlgorithmName:
 506 #       (see below)
 507 #
 508 #   Constraint:
 509 #       KeySizeConstraint
 510 #
 511 #   KeySizeConstraint:
 512 #       keySize Operator KeyLength
 513 #
 514 #   Operator:
 515 #       <= | < | == | != | >= | >
 516 #
 517 #   KeyLength:
 518 #       Integer value of the algorithm's key length in bits
 519 #
 520 # Note: This property is currently used by the JDK Reference
 521 # implementation. It is not guaranteed to be examined and used by other
 522 # implementations.
 523 #
 524 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 525 
 526 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 527 # (SSL/TLS) processing
 528 #
 529 # In some environments, certain algorithms or key lengths may be undesirable
 530 # when using SSL/TLS.  This section describes the mechanism for disabling
 531 # algorithms during SSL/TLS security parameters negotiation, including
 532 # protocol version negotiation, cipher suites selection, peer authentication
 533 # and key exchange mechanisms.
 534 #
 535 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
 536 # if they are enabled explicitly in an application.
 537 #
 538 # For PKI-based peer authentication and key exchange mechanisms, this list
 539 # of disabled algorithms will also be checked during certification path
 540 # building and validation, including algorithms used in certificates, as
 541 # well as revocation information such as CRLs and signed OCSP Responses.
 542 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
 543 #
 544 # See the specification of "jdk.certpath.disabledAlgorithms" for the
 545 # syntax of the disabled algorithm string.


 647 #
 648 # If this property is not defined or the value is empty, the underlying JSSE
 649 # provider's default group parameter is used for each connection.
 650 #
 651 # If the property value does not follow the grammar, or a particular group
 652 # parameter is not valid, the connection will fall back and use the
 653 # underlying JSSE provider's default group parameter.
 654 #
 655 # Note: This property is currently used by OpenJDK's JSSE implementation. It
 656 # is not guaranteed to be examined and used by other implementations.
 657 #
 658 # Example:
 659 #   jdk.tls.server.defaultDHEParameters=
 660 #       { \
 661 #       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
 662 #       29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
 663 #       EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
 664 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 665 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 666 #       FFFFFFFF FFFFFFFF, 2}





































< prev index next >