468 #
469 # A "Constraint" provides further guidance for the algorithm being specified.
470 # The "KeySizeConstraint" requires a key of a valid size range if the
471 # "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
472 # key size specified in number of bits. For example, "RSA keySize <= 1024"
473 # indicates that any RSA key with key size less than or equal to 1024 bits
474 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
475 # that any RSA key with key size less than 1024 or greater than 2048 should
476 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
477 # algorithms.
478 #
479 # Note: This property is currently used by Oracle's PKIX implementation. It
480 # is not guaranteed to be examined and used by other implementations.
481 #
482 # Example:
483 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
484 #
485 #
486 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
487
488 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
489 # (SSL/TLS) processing
490 #
491 # In some environments, certain algorithms or key lengths may be undesirable
492 # when using SSL/TLS. This section describes the mechanism for disabling
493 # algorithms during SSL/TLS security parameters negotiation, including
494 # protocol version negotiation, cipher suites selection, peer authentication
495 # and key exchange mechanisms.
496 #
497 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
498 # if they are enabled explicitly in an application.
499 #
500 # For PKI-based peer authentication and key exchange mechanisms, this list
501 # of disabled algorithms will also be checked during certification path
502 # building and validation, including algorithms used in certificates, as
503 # well as revocation information such as CRLs and signed OCSP Responses.
504 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
505 #
506 # See the specification of "jdk.certpath.disabledAlgorithms" for the
507 # syntax of the disabled algorithm string.
609 #
610 # If this property is not defined or the value is empty, the underlying JSSE
611 # provider's default group parameter is used for each connection.
612 #
613 # If the property value does not follow the grammar, or a particular group
614 # parameter is not valid, the connection will fall back and use the
615 # underlying JSSE provider's default group parameter.
616 #
617 # Note: This property is currently used by OpenJDK's JSSE implementation. It
618 # is not guaranteed to be examined and used by other implementations.
619 #
620 # Example:
621 # jdk.tls.server.defaultDHEParameters=
622 # { \
623 # FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
624 # 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
625 # EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
626 # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
627 # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
628 # FFFFFFFF FFFFFFFF, 2}
629
630 # Algorithm restrictions for signed JAR files
631 #
632 # In some environments, certain algorithms or key lengths may be undesirable
633 # for signed JAR validation. For example, "MD2" is generally no longer
634 # considered to be a secure hash algorithm. This section describes the
635 # mechanism for disabling algorithms based on algorithm name and/or key length.
636 # JARs signed with any of the disabled algorithms or key sizes will be treated
637 # as unsigned.
638 #
639 # The syntax of the disabled algorithm string is described as follows:
640 # DisabledAlgorithms:
641 # " DisabledAlgorithm { , DisabledAlgorithm } "
642 #
643 # DisabledAlgorithm:
644 # AlgorithmName [Constraint]
645 #
646 # AlgorithmName:
647 # (see below)
648 #
649 # Constraint:
650 # KeySizeConstraint
651 #
652 # KeySizeConstraint:
653 # keySize Operator KeyLength
654 #
655 # Operator:
656 # <= | < | == | != | >= | >
657 #
658 # KeyLength:
659 # Integer value of the algorithm's key length in bits
660 #
661 # Note: This property is currently used by the JDK Reference
662 # implementation. It is not guaranteed to be examined and used by other
663 # implementations.
664 #
665 jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
|
468 #
469 # A "Constraint" provides further guidance for the algorithm being specified.
470 # The "KeySizeConstraint" requires a key of a valid size range if the
471 # "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
472 # key size specified in number of bits. For example, "RSA keySize <= 1024"
473 # indicates that any RSA key with key size less than or equal to 1024 bits
474 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
475 # that any RSA key with key size less than 1024 or greater than 2048 should
476 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
477 # algorithms.
478 #
479 # Note: This property is currently used by Oracle's PKIX implementation. It
480 # is not guaranteed to be examined and used by other implementations.
481 #
482 # Example:
483 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
484 #
485 #
486 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
487
488 # Algorithm restrictions for signed JAR files
489 #
490 # In some environments, certain algorithms or key lengths may be undesirable
491 # for signed JAR validation. For example, "MD2" is generally no longer
492 # considered to be a secure hash algorithm. This section describes the
493 # mechanism for disabling algorithms based on algorithm name and/or key length.
494 # JARs signed with any of the disabled algorithms or key sizes will be treated
495 # as unsigned.
496 #
497 # The syntax of the disabled algorithm string is described as follows:
498 # DisabledAlgorithms:
499 # " DisabledAlgorithm { , DisabledAlgorithm } "
500 #
501 # DisabledAlgorithm:
502 # AlgorithmName [Constraint]
503 #
504 # AlgorithmName:
505 # (see below)
506 #
507 # Constraint:
508 # KeySizeConstraint
509 #
510 # KeySizeConstraint:
511 # keySize Operator KeyLength
512 #
513 # Operator:
514 # <= | < | == | != | >= | >
515 #
516 # KeyLength:
517 # Integer value of the algorithm's key length in bits
518 #
519 # Note: This property is currently used by the JDK Reference
520 # implementation. It is not guaranteed to be examined and used by other
521 # implementations.
522 #
523 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
524
525 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
526 # (SSL/TLS) processing
527 #
528 # In some environments, certain algorithms or key lengths may be undesirable
529 # when using SSL/TLS. This section describes the mechanism for disabling
530 # algorithms during SSL/TLS security parameters negotiation, including
531 # protocol version negotiation, cipher suites selection, peer authentication
532 # and key exchange mechanisms.
533 #
534 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
535 # if they are enabled explicitly in an application.
536 #
537 # For PKI-based peer authentication and key exchange mechanisms, this list
538 # of disabled algorithms will also be checked during certification path
539 # building and validation, including algorithms used in certificates, as
540 # well as revocation information such as CRLs and signed OCSP Responses.
541 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
542 #
543 # See the specification of "jdk.certpath.disabledAlgorithms" for the
544 # syntax of the disabled algorithm string.
646 #
647 # If this property is not defined or the value is empty, the underlying JSSE
648 # provider's default group parameter is used for each connection.
649 #
650 # If the property value does not follow the grammar, or a particular group
651 # parameter is not valid, the connection will fall back and use the
652 # underlying JSSE provider's default group parameter.
653 #
654 # Note: This property is currently used by OpenJDK's JSSE implementation. It
655 # is not guaranteed to be examined and used by other implementations.
656 #
657 # Example:
658 # jdk.tls.server.defaultDHEParameters=
659 # { \
660 # FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
661 # 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
662 # EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
663 # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
664 # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
665 # FFFFFFFF FFFFFFFF, 2}
|