< prev index next >

src/java.base/share/conf/security/java.security

Print this page 







 638 # delimited by an ampersand '&'.  For example, to restrict certificates in a
 639 # chain that terminate at a distribution provided trust anchor and contain
 640 # RSA keys that are less than or equal to 1024 bits, add the following
 641 # constraint:  "RSA keySize <= 1024 & jdkCA".
 642 #
 643 # All DisabledAlgorithms expressions are processed in the order defined in the
 644 # property.  This requires lower keysize constraints to be specified
 645 # before larger keysize constraints of the same algorithm.  For example:
 646 # "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
 647 #
 648 # Note: This property is currently used by Oracle's PKIX implementation. It
 649 # is not guaranteed to be examined and used by other implementations.
 650 #
 651 # Example:
 652 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 653 #
 654 #
 655 jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & denyAfter 2017-01-01, \
 656     RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
 657 






































 658 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 659 # (SSL/TLS/DTLS) processing
 660 #
 661 # In some environments, certain algorithms or key lengths may be undesirable
 662 # when using SSL/TLS/DTLS.  This section describes the mechanism for disabling
 663 # algorithms during SSL/TLS/DTLS security parameters negotiation, including
 664 # protocol version negotiation, cipher suites selection, peer authentication
 665 # and key exchange mechanisms.
 666 #
 667 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
 668 # if they are enabled explicitly in an application.
 669 #
 670 # For PKI-based peer authentication and key exchange mechanisms, this list
 671 # of disabled algorithms will also be checked during certification path
 672 # building and validation, including algorithms used in certificates, as
 673 # well as revocation information such as CRLs and signed OCSP Responses.
 674 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
 675 #
 676 # See the specification of "jdk.certpath.disabledAlgorithms" for the
 677 # syntax of the disabled algorithm string.


 918 # Other patterns, from left to right, match the class or package name as
 919 # returned from Class.getName.
 920 # If the class is an array type, the class or package to be matched is the element type.
 921 # Arrays of any number of dimensions are treated the same as the element type.
 922 # For example, a pattern of "!example.Foo", rejects creation of any instance or
 923 # array of example.Foo.
 924 #
 925 # If the pattern starts with "!", the status is REJECTED if the remaining pattern
 926 #   is matched; otherwise the status is ALLOWED if the pattern matches.
 927 # If the pattern contains "/", the non-empty prefix up to the "/" is the module name;
 928 #   if the module name matches the module name of the class then
 929 #   the remaining pattern is matched with the class name.
 930 #   If there is no "/", the module name is not compared.
 931 # If the pattern ends with ".**" it matches any class in the package and all subpackages.
 932 # If the pattern ends with ".*" it matches any class in the package.
 933 # If the pattern ends with "*", it matches any class with the pattern as a prefix.
 934 # If the pattern is equal to the class name, it matches.
 935 # Otherwise, the status is UNDECIDED.
 936 #
 937 #jdk.serialFilter=pattern;pattern
 938 
 939 # Algorithm restrictions for signed JAR files
 940 #
 941 # In some environments, certain algorithms or key lengths may be undesirable
 942 # for signed JAR validation.  For example, "MD2" is generally no longer
 943 # considered to be a secure hash algorithm.  This section describes the
 944 # mechanism for disabling algorithms based on algorithm name and/or key length.
 945 # JARs signed with any of the disabled algorithms or key sizes will be treated
 946 # as unsigned.
 947 #
 948 # The syntax of the disabled algorithm string is described as follows:
 949 #   DisabledAlgorithms:
 950 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 951 #
 952 #   DisabledAlgorithm:
 953 #       AlgorithmName [Constraint]
 954 #
 955 #   AlgorithmName:
 956 #       (see below)
 957 #
 958 #   Constraint:
 959 #       KeySizeConstraint
 960 #
 961 #   KeySizeConstraint:
 962 #       keySize Operator KeyLength
 963 #
 964 #   Operator:
 965 #       <= | < | == | != | >= | >
 966 #
 967 #   KeyLength:
 968 #       Integer value of the algorithm's key length in bits
 969 #
 970 # Note: This property is currently used by the JDK Reference
 971 # implementation. It is not guaranteed to be examined and used by other
 972 # implementations.
 973 #
 974 jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, \
 975       DSA keySize < 1024
 976 



 638 # delimited by an ampersand '&'.  For example, to restrict certificates in a
 639 # chain that terminate at a distribution provided trust anchor and contain
 640 # RSA keys that are less than or equal to 1024 bits, add the following
 641 # constraint:  "RSA keySize <= 1024 & jdkCA".
 642 #
 643 # All DisabledAlgorithms expressions are processed in the order defined in the
 644 # property.  This requires lower keysize constraints to be specified
 645 # before larger keysize constraints of the same algorithm.  For example:
 646 # "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
 647 #
 648 # Note: This property is currently used by Oracle's PKIX implementation. It
 649 # is not guaranteed to be examined and used by other implementations.
 650 #
 651 # Example:
 652 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 653 #
 654 #
 655 jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & denyAfter 2017-01-01, \
 656     RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
 657 
 658 # Algorithm restrictions for signed JAR files
 659 #
 660 # In some environments, certain algorithms or key lengths may be undesirable
 661 # for signed JAR validation.  For example, "MD2" is generally no longer
 662 # considered to be a secure hash algorithm.  This section describes the
 663 # mechanism for disabling algorithms based on algorithm name and/or key length.
 664 # JARs signed with any of the disabled algorithms or key sizes will be treated
 665 # as unsigned.
 666 #
 667 # The syntax of the disabled algorithm string is described as follows:
 668 #   DisabledAlgorithms:
 669 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 670 #
 671 #   DisabledAlgorithm:
 672 #       AlgorithmName [Constraint]
 673 #
 674 #   AlgorithmName:
 675 #       (see below)
 676 #
 677 #   Constraint:
 678 #       KeySizeConstraint
 679 #
 680 #   KeySizeConstraint:
 681 #       keySize Operator KeyLength
 682 #
 683 #   Operator:
 684 #       <= | < | == | != | >= | >
 685 #
 686 #   KeyLength:
 687 #       Integer value of the algorithm's key length in bits
 688 #
 689 # Note: This property is currently used by the JDK Reference
 690 # implementation. It is not guaranteed to be examined and used by other
 691 # implementations.
 692 #
 693 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 694       DSA keySize < 1024
 695 
 696 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 697 # (SSL/TLS/DTLS) processing
 698 #
 699 # In some environments, certain algorithms or key lengths may be undesirable
 700 # when using SSL/TLS/DTLS.  This section describes the mechanism for disabling
 701 # algorithms during SSL/TLS/DTLS security parameters negotiation, including
 702 # protocol version negotiation, cipher suites selection, peer authentication
 703 # and key exchange mechanisms.
 704 #
 705 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
 706 # if they are enabled explicitly in an application.
 707 #
 708 # For PKI-based peer authentication and key exchange mechanisms, this list
 709 # of disabled algorithms will also be checked during certification path
 710 # building and validation, including algorithms used in certificates, as
 711 # well as revocation information such as CRLs and signed OCSP Responses.
 712 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
 713 #
 714 # See the specification of "jdk.certpath.disabledAlgorithms" for the
 715 # syntax of the disabled algorithm string.


 956 # Other patterns, from left to right, match the class or package name as
 957 # returned from Class.getName.
 958 # If the class is an array type, the class or package to be matched is the element type.
 959 # Arrays of any number of dimensions are treated the same as the element type.
 960 # For example, a pattern of "!example.Foo", rejects creation of any instance or
 961 # array of example.Foo.
 962 #
 963 # If the pattern starts with "!", the status is REJECTED if the remaining pattern
 964 #   is matched; otherwise the status is ALLOWED if the pattern matches.
 965 # If the pattern contains "/", the non-empty prefix up to the "/" is the module name;
 966 #   if the module name matches the module name of the class then
 967 #   the remaining pattern is matched with the class name.
 968 #   If there is no "/", the module name is not compared.
 969 # If the pattern ends with ".**" it matches any class in the package and all subpackages.
 970 # If the pattern ends with ".*" it matches any class in the package.
 971 # If the pattern ends with "*", it matches any class with the pattern as a prefix.
 972 # If the pattern is equal to the class name, it matches.
 973 # Otherwise, the status is UNDECIDED.
 974 #
 975 #jdk.serialFilter=pattern;pattern






































 976 





< prev index next >