< prev index next >

src/share/lib/security/java.security-aix

Print this page 
rev 12009 : [mq]: 8167591-Add-MD5-to-signed-JAR-restrictions


 466 #
 467 # A "Constraint" provides further guidance for the algorithm being specified.
 468 # The "KeySizeConstraint" requires a key of a valid size range if the
 469 # "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
 470 # key size specified in number of bits.  For example, "RSA keySize <= 1024"
 471 # indicates that any RSA key with key size less than or equal to 1024 bits
 472 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
 473 # that any RSA key with key size less than 1024 or greater than 2048 should
 474 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
 475 # algorithms.
 476 #
 477 # Note: This property is currently used by Oracle's PKIX implementation. It
 478 # is not guaranteed to be examined and used by other implementations.
 479 #
 480 # Example:
 481 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 482 #
 483 #
 484 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 485 





































 486 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 487 # (SSL/TLS) processing
 488 #
 489 # In some environments, certain algorithms or key lengths may be undesirable
 490 # when using SSL/TLS.  This section describes the mechanism for disabling
 491 # algorithms during SSL/TLS security parameters negotiation, including
 492 # protocol version negotiation, cipher suites selection, peer authentication
 493 # and key exchange mechanisms.
 494 #
 495 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
 496 # if they are enabled explicitly in an application.
 497 #
 498 # For PKI-based peer authentication and key exchange mechanisms, this list
 499 # of disabled algorithms will also be checked during certification path
 500 # building and validation, including algorithms used in certificates, as
 501 # well as revocation information such as CRLs and signed OCSP Responses.
 502 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
 503 #
 504 # See the specification of "jdk.certpath.disabledAlgorithms" for the
 505 # syntax of the disabled algorithm string.


 607 #
 608 # If this property is not defined or the value is empty, the underlying JSSE
 609 # provider's default group parameter is used for each connection.
 610 #
 611 # If the property value does not follow the grammar, or a particular group
 612 # parameter is not valid, the connection will fall back and use the
 613 # underlying JSSE provider's default group parameter.
 614 #
 615 # Note: This property is currently used by OpenJDK's JSSE implementation. It
 616 # is not guaranteed to be examined and used by other implementations.
 617 #
 618 # Example:
 619 #   jdk.tls.server.defaultDHEParameters=
 620 #       { \
 621 #       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
 622 #       29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
 623 #       EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
 624 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 625 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 626 #       FFFFFFFF FFFFFFFF, 2}
 627 
 628 # Algorithm restrictions for signed JAR files
 629 #
 630 # In some environments, certain algorithms or key lengths may be undesirable
 631 # for signed JAR validation.  For example, "MD2" is generally no longer
 632 # considered to be a secure hash algorithm.  This section describes the
 633 # mechanism for disabling algorithms based on algorithm name and/or key length.
 634 # JARs signed with any of the disabled algorithms or key sizes will be treated
 635 # as unsigned.
 636 #
 637 # The syntax of the disabled algorithm string is described as follows:
 638 #   DisabledAlgorithms:
 639 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 640 #
 641 #   DisabledAlgorithm:
 642 #       AlgorithmName [Constraint]
 643 #
 644 #   AlgorithmName:
 645 #       (see below)
 646 #
 647 #   Constraint:
 648 #       KeySizeConstraint
 649 #
 650 #   KeySizeConstraint:
 651 #       keySize Operator KeyLength
 652 #
 653 #   Operator:
 654 #       <= | < | == | != | >= | >
 655 #
 656 #   KeyLength:
 657 #       Integer value of the algorithm's key length in bits
 658 #
 659 # Note: This property is currently used by the JDK Reference
 660 # implementation. It is not guaranteed to be examined and used by other
 661 # implementations.
 662 #
 663 jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024



 466 #
 467 # A "Constraint" provides further guidance for the algorithm being specified.
 468 # The "KeySizeConstraint" requires a key of a valid size range if the
 469 # "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
 470 # key size specified in number of bits.  For example, "RSA keySize <= 1024"
 471 # indicates that any RSA key with key size less than or equal to 1024 bits
 472 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
 473 # that any RSA key with key size less than 1024 or greater than 2048 should
 474 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
 475 # algorithms.
 476 #
 477 # Note: This property is currently used by Oracle's PKIX implementation. It
 478 # is not guaranteed to be examined and used by other implementations.
 479 #
 480 # Example:
 481 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 482 #
 483 #
 484 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 485 
 486 # Algorithm restrictions for signed JAR files
 487 #
 488 # In some environments, certain algorithms or key lengths may be undesirable
 489 # for signed JAR validation.  For example, "MD2" is generally no longer
 490 # considered to be a secure hash algorithm.  This section describes the
 491 # mechanism for disabling algorithms based on algorithm name and/or key length.
 492 # JARs signed with any of the disabled algorithms or key sizes will be treated
 493 # as unsigned.
 494 #
 495 # The syntax of the disabled algorithm string is described as follows:
 496 #   DisabledAlgorithms:
 497 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 498 #
 499 #   DisabledAlgorithm:
 500 #       AlgorithmName [Constraint]
 501 #
 502 #   AlgorithmName:
 503 #       (see below)
 504 #
 505 #   Constraint:
 506 #       KeySizeConstraint
 507 #
 508 #   KeySizeConstraint:
 509 #       keySize Operator KeyLength
 510 #
 511 #   Operator:
 512 #       <= | < | == | != | >= | >
 513 #
 514 #   KeyLength:
 515 #       Integer value of the algorithm's key length in bits
 516 #
 517 # Note: This property is currently used by the JDK Reference
 518 # implementation. It is not guaranteed to be examined and used by other
 519 # implementations.
 520 #
 521 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 522 
 523 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 524 # (SSL/TLS) processing
 525 #
 526 # In some environments, certain algorithms or key lengths may be undesirable
 527 # when using SSL/TLS.  This section describes the mechanism for disabling
 528 # algorithms during SSL/TLS security parameters negotiation, including
 529 # protocol version negotiation, cipher suites selection, peer authentication
 530 # and key exchange mechanisms.
 531 #
 532 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
 533 # if they are enabled explicitly in an application.
 534 #
 535 # For PKI-based peer authentication and key exchange mechanisms, this list
 536 # of disabled algorithms will also be checked during certification path
 537 # building and validation, including algorithms used in certificates, as
 538 # well as revocation information such as CRLs and signed OCSP Responses.
 539 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
 540 #
 541 # See the specification of "jdk.certpath.disabledAlgorithms" for the
 542 # syntax of the disabled algorithm string.


 644 #
 645 # If this property is not defined or the value is empty, the underlying JSSE
 646 # provider's default group parameter is used for each connection.
 647 #
 648 # If the property value does not follow the grammar, or a particular group
 649 # parameter is not valid, the connection will fall back and use the
 650 # underlying JSSE provider's default group parameter.
 651 #
 652 # Note: This property is currently used by OpenJDK's JSSE implementation. It
 653 # is not guaranteed to be examined and used by other implementations.
 654 #
 655 # Example:
 656 #   jdk.tls.server.defaultDHEParameters=
 657 #       { \
 658 #       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
 659 #       29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
 660 #       EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
 661 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 662 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 663 #       FFFFFFFF FFFFFFFF, 2}
< prev index next >