src/share/lib/security/java.security-linux

rev 13446 : 8207258: Distrust TLS server certificates anchored by Symantec Root CAs

*** 979,983 ****
--- 979,1006 ----
  # The filter pattern uses the same format as jdk.serialFilter. The default
  # pattern allows java.lang.Enum, java.security.KeyRep, java.security.KeyRep$Type,
  # and javax.crypto.spec.SecretKeySpec and rejects all the others.
  jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\
    java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!*
+ 
+ #
+ # Policies for distrusting Certificate Authorities (CAs).
+ #
+ # This is a comma separated value of one or more case-sensitive strings, each
+ # of which represents a policy for determining if a CA should be distrusted.
+ # The supported values are:
+ #
+ # SYMANTEC_TLS : Distrust TLS Server certificates anchored by
+ #                a Symantec root CA and issued after April 16, 2019.
+ #
+ # Leading and trailing whitespace surrounding each value are ignored.
+ # Unknown values are ignored. If the property is commented out or set to the
+ # empty String, no policies are enforced.
+ #
+ # Note: This property is currently used by the JDK Reference implementation.
+ # It is not guaranteed to be supported by other SE implementations. Also, this
+ # property does not override other security properties which can restrict
+ # certificates such as jdk.tls.disabledAlgorithms or
+ # jdk.certpath.disabledAlgorithms; those restrictions are still enforced even
+ # if this property is not enabled.
+ #
+ jdk.security.caDistrustPolicies=SYMANTEC_TLS