src/share/lib/security/java.security-windows

rev 13446 : 8207258: Distrust TLS server certificates anchored by Symantec Root CAs

@@ -977,5 +977,28 @@
 # The filter pattern uses the same format as jdk.serialFilter. The default
 # pattern allows java.lang.Enum, java.security.KeyRep, java.security.KeyRep$Type,
 # and javax.crypto.spec.SecretKeySpec and rejects all the others.
 jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\
   java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!*
+
+#
+# Policies for distrusting Certificate Authorities (CAs).
+#
+# This is a comma separated value of one or more case-sensitive strings, each
+# of which represents a policy for determining if a CA should be distrusted.
+# The supported values are:
+#
+# SYMANTEC_TLS : Distrust TLS Server certificates anchored by
+#                a Symantec root CA and issued after April 16, 2019.
+#
+# Leading and trailing whitespace surrounding each value are ignored.
+# Unknown values are ignored. If the property is commented out or set to the
+# empty String, no policies are enforced.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be supported by other SE implementations. Also, this
+# property does not override other security properties which can restrict
+# certificates such as jdk.tls.disabledAlgorithms or
+# jdk.certpath.disabledAlgorithms; those restrictions are still enforced even
+# if this property is not enabled.
+#
+jdk.security.caDistrustPolicies=SYMANTEC_TLS
\ No newline at end of file