469 #
470 # A "Constraint" provides further guidance for the algorithm being specified.
471 # The "KeySizeConstraint" requires a key of a valid size range if the
472 # "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
473 # key size specified in number of bits. For example, "RSA keySize <= 1024"
474 # indicates that any RSA key with key size less than or equal to 1024 bits
475 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
476 # that any RSA key with key size less than 1024 or greater than 2048 should
477 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
478 # algorithms.
479 #
480 # Note: This property is currently used by Oracle's PKIX implementation. It
481 # is not guaranteed to be examined and used by other implementations.
482 #
483 # Example:
484 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
485 #
486 #
487 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
488
489 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
490 # (SSL/TLS) processing
491 #
492 # In some environments, certain algorithms or key lengths may be undesirable
493 # when using SSL/TLS. This section describes the mechanism for disabling
494 # algorithms during SSL/TLS security parameters negotiation, including
495 # protocol version negotiation, cipher suites selection, peer authentication
496 # and key exchange mechanisms.
497 #
498 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
499 # if they are enabled explicitly in an application.
500 #
501 # For PKI-based peer authentication and key exchange mechanisms, this list
502 # of disabled algorithms will also be checked during certification path
503 # building and validation, including algorithms used in certificates, as
504 # well as revocation information such as CRLs and signed OCSP Responses.
505 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
506 #
507 # See the specification of "jdk.certpath.disabledAlgorithms" for the
508 # syntax of the disabled algorithm string.
610 #
611 # If this property is not defined or the value is empty, the underlying JSSE
612 # provider's default group parameter is used for each connection.
613 #
614 # If the property value does not follow the grammar, or a particular group
615 # parameter is not valid, the connection will fall back and use the
616 # underlying JSSE provider's default group parameter.
617 #
618 # Note: This property is currently used by OpenJDK's JSSE implementation. It
619 # is not guaranteed to be examined and used by other implementations.
620 #
621 # Example:
622 # jdk.tls.server.defaultDHEParameters=
623 # { \
624 # FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
625 # 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
626 # EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
627 # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
628 # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
629 # FFFFFFFF FFFFFFFF, 2}
630
631 # Algorithm restrictions for signed JAR files
632 #
633 # In some environments, certain algorithms or key lengths may be undesirable
634 # for signed JAR validation. For example, "MD2" is generally no longer
635 # considered to be a secure hash algorithm. This section describes the
636 # mechanism for disabling algorithms based on algorithm name and/or key length.
637 # JARs signed with any of the disabled algorithms or key sizes will be treated
638 # as unsigned.
639 #
640 # The syntax of the disabled algorithm string is described as follows:
641 # DisabledAlgorithms:
642 # " DisabledAlgorithm { , DisabledAlgorithm } "
643 #
644 # DisabledAlgorithm:
645 # AlgorithmName [Constraint]
646 #
647 # AlgorithmName:
648 # (see below)
649 #
650 # Constraint:
651 # KeySizeConstraint
652 #
653 # KeySizeConstraint:
654 # keySize Operator KeyLength
655 #
656 # Operator:
657 # <= | < | == | != | >= | >
658 #
659 # KeyLength:
660 # Integer value of the algorithm's key length in bits
661 #
662 # Note: This property is currently used by the JDK Reference
663 # implementation. It is not guaranteed to be examined and used by other
664 # implementations.
665 #
666 jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
|
469 #
470 # A "Constraint" provides further guidance for the algorithm being specified.
471 # The "KeySizeConstraint" requires a key of a valid size range if the
472 # "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
473 # key size specified in number of bits. For example, "RSA keySize <= 1024"
474 # indicates that any RSA key with key size less than or equal to 1024 bits
475 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
476 # that any RSA key with key size less than 1024 or greater than 2048 should
477 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
478 # algorithms.
479 #
480 # Note: This property is currently used by Oracle's PKIX implementation. It
481 # is not guaranteed to be examined and used by other implementations.
482 #
483 # Example:
484 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
485 #
486 #
487 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
488
489 # Algorithm restrictions for signed JAR files
490 #
491 # In some environments, certain algorithms or key lengths may be undesirable
492 # for signed JAR validation. For example, "MD2" is generally no longer
493 # considered to be a secure hash algorithm. This section describes the
494 # mechanism for disabling algorithms based on algorithm name and/or key length.
495 # JARs signed with any of the disabled algorithms or key sizes will be treated
496 # as unsigned.
497 #
498 # The syntax of the disabled algorithm string is described as follows:
499 # DisabledAlgorithms:
500 # " DisabledAlgorithm { , DisabledAlgorithm } "
501 #
502 # DisabledAlgorithm:
503 # AlgorithmName [Constraint]
504 #
505 # AlgorithmName:
506 # (see below)
507 #
508 # Constraint:
509 # KeySizeConstraint
510 #
511 # KeySizeConstraint:
512 # keySize Operator KeyLength
513 #
514 # Operator:
515 # <= | < | == | != | >= | >
516 #
517 # KeyLength:
518 # Integer value of the algorithm's key length in bits
519 #
520 # Note: This property is currently used by the JDK Reference
521 # implementation. It is not guaranteed to be examined and used by other
522 # implementations.
523 #
524 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
525
526 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
527 # (SSL/TLS) processing
528 #
529 # In some environments, certain algorithms or key lengths may be undesirable
530 # when using SSL/TLS. This section describes the mechanism for disabling
531 # algorithms during SSL/TLS security parameters negotiation, including
532 # protocol version negotiation, cipher suites selection, peer authentication
533 # and key exchange mechanisms.
534 #
535 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
536 # if they are enabled explicitly in an application.
537 #
538 # For PKI-based peer authentication and key exchange mechanisms, this list
539 # of disabled algorithms will also be checked during certification path
540 # building and validation, including algorithms used in certificates, as
541 # well as revocation information such as CRLs and signed OCSP Responses.
542 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
543 #
544 # See the specification of "jdk.certpath.disabledAlgorithms" for the
545 # syntax of the disabled algorithm string.
647 #
648 # If this property is not defined or the value is empty, the underlying JSSE
649 # provider's default group parameter is used for each connection.
650 #
651 # If the property value does not follow the grammar, or a particular group
652 # parameter is not valid, the connection will fall back and use the
653 # underlying JSSE provider's default group parameter.
654 #
655 # Note: This property is currently used by OpenJDK's JSSE implementation. It
656 # is not guaranteed to be examined and used by other implementations.
657 #
658 # Example:
659 # jdk.tls.server.defaultDHEParameters=
660 # { \
661 # FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
662 # 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
663 # EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
664 # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
665 # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
666 # FFFFFFFF FFFFFFFF, 2}
|