src/java.base/share/conf/security/java.security

Print this page 







 494 # A "Constraint" provides further guidance for the algorithm being specified.
 495 # The "KeySizeConstraint" requires a key of a valid size range if the
 496 # "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
 497 # key size specified in number of bits.  For example, "RSA keySize <= 1024"
 498 # indicates that any RSA key with key size less than or equal to 1024 bits
 499 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
 500 # that any RSA key with key size less than 1024 or greater than 2048 should
 501 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
 502 # algorithms.
 503 #
 504 # Note: This property is currently used by Oracle's PKIX implementation. It
 505 # is not guaranteed to be examined and used by other implementations.
 506 #
 507 # Example:
 508 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 509 #
 510 #
 511 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 512 
 513 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 514 # (SSL/TLS) processing
 515 #
 516 # In some environments, certain algorithms or key lengths may be undesirable
 517 # when using SSL/TLS.  This section describes the mechanism for disabling
 518 # algorithms during SSL/TLS security parameters negotiation, including
 519 # protocol version negotiation, cipher suites selection, peer authentication
 520 # and key exchange mechanisms.
 521 #
 522 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
 523 # if they are enabled explicitly in an application.
 524 #
 525 # For PKI-based peer authentication and key exchange mechanisms, this list
 526 # of disabled algorithms will also be checked during certification path
 527 # building and validation, including algorithms used in certificates, as
 528 # well as revocation information such as CRLs and signed OCSP Responses.
 529 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
 530 #
 531 # See the specification of "jdk.certpath.disabledAlgorithms" for the
 532 # syntax of the disabled algorithm string.
 533 #
 534 # Note: This property is currently used by Oracle's JSSE implementation.
 535 # It is not guaranteed to be examined and used by other implementations.
 536 #
 537 # Example:
 538 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048



 494 # A "Constraint" provides further guidance for the algorithm being specified.
 495 # The "KeySizeConstraint" requires a key of a valid size range if the
 496 # "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
 497 # key size specified in number of bits.  For example, "RSA keySize <= 1024"
 498 # indicates that any RSA key with key size less than or equal to 1024 bits
 499 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
 500 # that any RSA key with key size less than 1024 or greater than 2048 should
 501 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
 502 # algorithms.
 503 #
 504 # Note: This property is currently used by Oracle's PKIX implementation. It
 505 # is not guaranteed to be examined and used by other implementations.
 506 #
 507 # Example:
 508 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 509 #
 510 #
 511 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 512 
 513 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 514 # (SSL/TLS/DTLS) processing
 515 #
 516 # In some environments, certain algorithms or key lengths may be undesirable
 517 # when using SSL/TLS/DTLS.  This section describes the mechanism for disabling
 518 # algorithms during SSL/TLS/DTLS security parameters negotiation, including
 519 # protocol version negotiation, cipher suites selection, peer authentication
 520 # and key exchange mechanisms.
 521 #
 522 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
 523 # if they are enabled explicitly in an application.
 524 #
 525 # For PKI-based peer authentication and key exchange mechanisms, this list
 526 # of disabled algorithms will also be checked during certification path
 527 # building and validation, including algorithms used in certificates, as
 528 # well as revocation information such as CRLs and signed OCSP Responses.
 529 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
 530 #
 531 # See the specification of "jdk.certpath.disabledAlgorithms" for the
 532 # syntax of the disabled algorithm string.
 533 #
 534 # Note: This property is currently used by Oracle's JSSE implementation.
 535 # It is not guaranteed to be examined and used by other implementations.
 536 #
 537 # Example:
 538 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048