638 # delimited by an ampersand '&'. For example, to restrict certificates in a 639 # chain that terminate at a distribution provided trust anchor and contain 640 # RSA keys that are less than or equal to 1024 bits, add the following 641 # constraint: "RSA keySize <= 1024 & jdkCA". 642 # 643 # All DisabledAlgorithms expressions are processed in the order defined in the 644 # property. This requires lower keysize constraints to be specified 645 # before larger keysize constraints of the same algorithm. For example: 646 # "RSA keySize < 1024 & jdkCA, RSA keySize < 2048". 647 # 648 # Note: This property is currently used by Oracle's PKIX implementation. It 649 # is not guaranteed to be examined and used by other implementations. 650 # 651 # Example: 652 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 653 # 654 # 655 jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & denyAfter 2017-01-01, \ 656 RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 657 658 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security 659 # (SSL/TLS/DTLS) processing 660 # 661 # In some environments, certain algorithms or key lengths may be undesirable 662 # when using SSL/TLS/DTLS. This section describes the mechanism for disabling 663 # algorithms during SSL/TLS/DTLS security parameters negotiation, including 664 # protocol version negotiation, cipher suites selection, peer authentication 665 # and key exchange mechanisms. 666 # 667 # Disabled algorithms will not be negotiated for SSL/TLS connections, even 668 # if they are enabled explicitly in an application. 669 # 670 # For PKI-based peer authentication and key exchange mechanisms, this list 671 # of disabled algorithms will also be checked during certification path 672 # building and validation, including algorithms used in certificates, as 673 # well as revocation information such as CRLs and signed OCSP Responses. 674 # This is in addition to the jdk.certpath.disabledAlgorithms property above. 675 # 676 # See the specification of "jdk.certpath.disabledAlgorithms" for the 677 # syntax of the disabled algorithm string. 918 # Other patterns, from left to right, match the class or package name as 919 # returned from Class.getName. 920 # If the class is an array type, the class or package to be matched is the element type. 921 # Arrays of any number of dimensions are treated the same as the element type. 922 # For example, a pattern of "!example.Foo", rejects creation of any instance or 923 # array of example.Foo. 924 # 925 # If the pattern starts with "!", the status is REJECTED if the remaining pattern 926 # is matched; otherwise the status is ALLOWED if the pattern matches. 927 # If the pattern contains "/", the non-empty prefix up to the "/" is the module name; 928 # if the module name matches the module name of the class then 929 # the remaining pattern is matched with the class name. 930 # If there is no "/", the module name is not compared. 931 # If the pattern ends with ".**" it matches any class in the package and all subpackages. 932 # If the pattern ends with ".*" it matches any class in the package. 933 # If the pattern ends with "*", it matches any class with the pattern as a prefix. 934 # If the pattern is equal to the class name, it matches. 935 # Otherwise, the status is UNDECIDED. 936 # 937 #jdk.serialFilter=pattern;pattern 938 939 # Algorithm restrictions for signed JAR files 940 # 941 # In some environments, certain algorithms or key lengths may be undesirable 942 # for signed JAR validation. For example, "MD2" is generally no longer 943 # considered to be a secure hash algorithm. This section describes the 944 # mechanism for disabling algorithms based on algorithm name and/or key length. 945 # JARs signed with any of the disabled algorithms or key sizes will be treated 946 # as unsigned. 947 # 948 # The syntax of the disabled algorithm string is described as follows: 949 # DisabledAlgorithms: 950 # " DisabledAlgorithm { , DisabledAlgorithm } " 951 # 952 # DisabledAlgorithm: 953 # AlgorithmName [Constraint] 954 # 955 # AlgorithmName: 956 # (see below) 957 # 958 # Constraint: 959 # KeySizeConstraint 960 # 961 # KeySizeConstraint: 962 # keySize Operator KeyLength 963 # 964 # Operator: 965 # <= | < | == | != | >= | > 966 # 967 # KeyLength: 968 # Integer value of the algorithm's key length in bits 969 # 970 # Note: This property is currently used by the JDK Reference 971 # implementation. It is not guaranteed to be examined and used by other 972 # implementations. 973 # 974 jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, \ 975 DSA keySize < 1024 976 | 638 # delimited by an ampersand '&'. For example, to restrict certificates in a 639 # chain that terminate at a distribution provided trust anchor and contain 640 # RSA keys that are less than or equal to 1024 bits, add the following 641 # constraint: "RSA keySize <= 1024 & jdkCA". 642 # 643 # All DisabledAlgorithms expressions are processed in the order defined in the 644 # property. This requires lower keysize constraints to be specified 645 # before larger keysize constraints of the same algorithm. For example: 646 # "RSA keySize < 1024 & jdkCA, RSA keySize < 2048". 647 # 648 # Note: This property is currently used by Oracle's PKIX implementation. It 649 # is not guaranteed to be examined and used by other implementations. 650 # 651 # Example: 652 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 653 # 654 # 655 jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & denyAfter 2017-01-01, \ 656 RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 657 658 # Algorithm restrictions for signed JAR files 659 # 660 # In some environments, certain algorithms or key lengths may be undesirable 661 # for signed JAR validation. For example, "MD2" is generally no longer 662 # considered to be a secure hash algorithm. This section describes the 663 # mechanism for disabling algorithms based on algorithm name and/or key length. 664 # JARs signed with any of the disabled algorithms or key sizes will be treated 665 # as unsigned. 666 # 667 # The syntax of the disabled algorithm string is described as follows: 668 # DisabledAlgorithms: 669 # " DisabledAlgorithm { , DisabledAlgorithm } " 670 # 671 # DisabledAlgorithm: 672 # AlgorithmName [Constraint] 673 # 674 # AlgorithmName: 675 # (see below) 676 # 677 # Constraint: 678 # KeySizeConstraint 679 # 680 # KeySizeConstraint: 681 # keySize Operator KeyLength 682 # 683 # Operator: 684 # <= | < | == | != | >= | > 685 # 686 # KeyLength: 687 # Integer value of the algorithm's key length in bits 688 # 689 # Note: This property is currently used by the JDK Reference 690 # implementation. It is not guaranteed to be examined and used by other 691 # implementations. 692 # 693 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ 694 DSA keySize < 1024 695 696 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security 697 # (SSL/TLS/DTLS) processing 698 # 699 # In some environments, certain algorithms or key lengths may be undesirable 700 # when using SSL/TLS/DTLS. This section describes the mechanism for disabling 701 # algorithms during SSL/TLS/DTLS security parameters negotiation, including 702 # protocol version negotiation, cipher suites selection, peer authentication 703 # and key exchange mechanisms. 704 # 705 # Disabled algorithms will not be negotiated for SSL/TLS connections, even 706 # if they are enabled explicitly in an application. 707 # 708 # For PKI-based peer authentication and key exchange mechanisms, this list 709 # of disabled algorithms will also be checked during certification path 710 # building and validation, including algorithms used in certificates, as 711 # well as revocation information such as CRLs and signed OCSP Responses. 712 # This is in addition to the jdk.certpath.disabledAlgorithms property above. 713 # 714 # See the specification of "jdk.certpath.disabledAlgorithms" for the 715 # syntax of the disabled algorithm string. 956 # Other patterns, from left to right, match the class or package name as 957 # returned from Class.getName. 958 # If the class is an array type, the class or package to be matched is the element type. 959 # Arrays of any number of dimensions are treated the same as the element type. 960 # For example, a pattern of "!example.Foo", rejects creation of any instance or 961 # array of example.Foo. 962 # 963 # If the pattern starts with "!", the status is REJECTED if the remaining pattern 964 # is matched; otherwise the status is ALLOWED if the pattern matches. 965 # If the pattern contains "/", the non-empty prefix up to the "/" is the module name; 966 # if the module name matches the module name of the class then 967 # the remaining pattern is matched with the class name. 968 # If there is no "/", the module name is not compared. 969 # If the pattern ends with ".**" it matches any class in the package and all subpackages. 970 # If the pattern ends with ".*" it matches any class in the package. 971 # If the pattern ends with "*", it matches any class with the pattern as a prefix. 972 # If the pattern is equal to the class name, it matches. 973 # Otherwise, the status is UNDECIDED. 974 # 975 #jdk.serialFilter=pattern;pattern 976 |