< prev index next >

src/share/lib/security/java.security-solaris

Print this page 
rev 12009 : [mq]: 8167591-Add-MD5-to-signed-JAR-restrictions


 468 #
 469 # A "Constraint" provides further guidance for the algorithm being specified.
 470 # The "KeySizeConstraint" requires a key of a valid size range if the
 471 # "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
 472 # key size specified in number of bits.  For example, "RSA keySize <= 1024"
 473 # indicates that any RSA key with key size less than or equal to 1024 bits
 474 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
 475 # that any RSA key with key size less than 1024 or greater than 2048 should
 476 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
 477 # algorithms.
 478 #
 479 # Note: This property is currently used by Oracle's PKIX implementation. It
 480 # is not guaranteed to be examined and used by other implementations.
 481 #
 482 # Example:
 483 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 484 #
 485 #
 486 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 487 





































 488 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 489 # (SSL/TLS) processing
 490 #
 491 # In some environments, certain algorithms or key lengths may be undesirable
 492 # when using SSL/TLS.  This section describes the mechanism for disabling
 493 # algorithms during SSL/TLS security parameters negotiation, including
 494 # protocol version negotiation, cipher suites selection, peer authentication
 495 # and key exchange mechanisms.
 496 #
 497 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
 498 # if they are enabled explicitly in an application.
 499 #
 500 # For PKI-based peer authentication and key exchange mechanisms, this list
 501 # of disabled algorithms will also be checked during certification path
 502 # building and validation, including algorithms used in certificates, as
 503 # well as revocation information such as CRLs and signed OCSP Responses.
 504 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
 505 #
 506 # See the specification of "jdk.certpath.disabledAlgorithms" for the
 507 # syntax of the disabled algorithm string.


 609 #
 610 # If this property is not defined or the value is empty, the underlying JSSE
 611 # provider's default group parameter is used for each connection.
 612 #
 613 # If the property value does not follow the grammar, or a particular group
 614 # parameter is not valid, the connection will fall back and use the
 615 # underlying JSSE provider's default group parameter.
 616 #
 617 # Note: This property is currently used by OpenJDK's JSSE implementation. It
 618 # is not guaranteed to be examined and used by other implementations.
 619 #
 620 # Example:
 621 #   jdk.tls.server.defaultDHEParameters=
 622 #       { \
 623 #       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
 624 #       29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
 625 #       EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
 626 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 627 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 628 #       FFFFFFFF FFFFFFFF, 2}
 629 
 630 # Algorithm restrictions for signed JAR files
 631 #
 632 # In some environments, certain algorithms or key lengths may be undesirable
 633 # for signed JAR validation.  For example, "MD2" is generally no longer
 634 # considered to be a secure hash algorithm.  This section describes the
 635 # mechanism for disabling algorithms based on algorithm name and/or key length.
 636 # JARs signed with any of the disabled algorithms or key sizes will be treated
 637 # as unsigned.
 638 #
 639 # The syntax of the disabled algorithm string is described as follows:
 640 #   DisabledAlgorithms:
 641 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 642 #
 643 #   DisabledAlgorithm:
 644 #       AlgorithmName [Constraint]
 645 #
 646 #   AlgorithmName:
 647 #       (see below)
 648 #
 649 #   Constraint:
 650 #       KeySizeConstraint
 651 #
 652 #   KeySizeConstraint:
 653 #       keySize Operator KeyLength
 654 #
 655 #   Operator:
 656 #       <= | < | == | != | >= | >
 657 #
 658 #   KeyLength:
 659 #       Integer value of the algorithm's key length in bits
 660 #
 661 # Note: This property is currently used by the JDK Reference
 662 # implementation. It is not guaranteed to be examined and used by other
 663 # implementations.
 664 #
 665 jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024



 468 #
 469 # A "Constraint" provides further guidance for the algorithm being specified.
 470 # The "KeySizeConstraint" requires a key of a valid size range if the
 471 # "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
 472 # key size specified in number of bits.  For example, "RSA keySize <= 1024"
 473 # indicates that any RSA key with key size less than or equal to 1024 bits
 474 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
 475 # that any RSA key with key size less than 1024 or greater than 2048 should
 476 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
 477 # algorithms.
 478 #
 479 # Note: This property is currently used by Oracle's PKIX implementation. It
 480 # is not guaranteed to be examined and used by other implementations.
 481 #
 482 # Example:
 483 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 484 #
 485 #
 486 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 487 
 488 # Algorithm restrictions for signed JAR files
 489 #
 490 # In some environments, certain algorithms or key lengths may be undesirable
 491 # for signed JAR validation.  For example, "MD2" is generally no longer
 492 # considered to be a secure hash algorithm.  This section describes the
 493 # mechanism for disabling algorithms based on algorithm name and/or key length.
 494 # JARs signed with any of the disabled algorithms or key sizes will be treated
 495 # as unsigned.
 496 #
 497 # The syntax of the disabled algorithm string is described as follows:
 498 #   DisabledAlgorithms:
 499 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 500 #
 501 #   DisabledAlgorithm:
 502 #       AlgorithmName [Constraint]
 503 #
 504 #   AlgorithmName:
 505 #       (see below)
 506 #
 507 #   Constraint:
 508 #       KeySizeConstraint
 509 #
 510 #   KeySizeConstraint:
 511 #       keySize Operator KeyLength
 512 #
 513 #   Operator:
 514 #       <= | < | == | != | >= | >
 515 #
 516 #   KeyLength:
 517 #       Integer value of the algorithm's key length in bits
 518 #
 519 # Note: This property is currently used by the JDK Reference
 520 # implementation. It is not guaranteed to be examined and used by other
 521 # implementations.
 522 #
 523 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 524 
 525 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 526 # (SSL/TLS) processing
 527 #
 528 # In some environments, certain algorithms or key lengths may be undesirable
 529 # when using SSL/TLS.  This section describes the mechanism for disabling
 530 # algorithms during SSL/TLS security parameters negotiation, including
 531 # protocol version negotiation, cipher suites selection, peer authentication
 532 # and key exchange mechanisms.
 533 #
 534 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
 535 # if they are enabled explicitly in an application.
 536 #
 537 # For PKI-based peer authentication and key exchange mechanisms, this list
 538 # of disabled algorithms will also be checked during certification path
 539 # building and validation, including algorithms used in certificates, as
 540 # well as revocation information such as CRLs and signed OCSP Responses.
 541 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
 542 #
 543 # See the specification of "jdk.certpath.disabledAlgorithms" for the
 544 # syntax of the disabled algorithm string.


 646 #
 647 # If this property is not defined or the value is empty, the underlying JSSE
 648 # provider's default group parameter is used for each connection.
 649 #
 650 # If the property value does not follow the grammar, or a particular group
 651 # parameter is not valid, the connection will fall back and use the
 652 # underlying JSSE provider's default group parameter.
 653 #
 654 # Note: This property is currently used by OpenJDK's JSSE implementation. It
 655 # is not guaranteed to be examined and used by other implementations.
 656 #
 657 # Example:
 658 #   jdk.tls.server.defaultDHEParameters=
 659 #       { \
 660 #       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
 661 #       29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
 662 #       EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
 663 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 664 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 665 #       FFFFFFFF FFFFFFFF, 2}
< prev index next >