543 #
544 # Operator:
545 # <= | < | == | != | >= | >
546 #
547 # KeyLength:
548 # Integer value of the algorithm's key length in bits
549 #
550 # CAConstraint:
551 # jdkCA
552 #
553 # DenyAfterConstraint:
554 # denyAfter YYYY-MM-DD
555 #
556 # UsageConstraint:
557 # usage [TLSServer] [TLSClient] [SignedJAR]
558 #
559 # IncludeProperty:
560 # include <security property>
561 #
562 # The "AlgorithmName" is the standard algorithm name of the disabled
563 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
564 # Documentation" for information about Standard Algorithm Names. Matching
565 # is performed using a case-insensitive sub-element matching rule. (For
566 # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
567 # "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
568 # sub-element of the certificate algorithm name, the algorithm will be
569 # rejected during certification path building and validation. For example,
570 # the assertion algorithm name "DSA" will disable all certificate algorithms
571 # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
572 # will not disable algorithms related to "ECDSA".
573 #
574 # The "IncludeProperty" allows a implementation-defined security property that
575 # can be included in the disabledAlgorithms properties. These properties are
576 # to help manage common actions easier across multiple disabledAlgorithm
577 # properties.
578 # There is one defined security property: jdk.disabled.NamedCurves
579 # See the property for more specific details.
580 #
581 #
582 # A "Constraint" defines restrictions on the keys and/or certificates for
583 # a specified AlgorithmName:
584 #
585 # KeySizeConstraint:
708 #
709 # KeyLength:
710 # Integer value of the algorithm's key length in bits
711 #
712 # Note: This property is currently used by the JDK Reference
713 # implementation. It is not guaranteed to be examined and used by other
714 # implementations.
715 #
716 # See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
717 #
718 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
719 DSA keySize < 1024, include jdk.disabled.namedCurves
720
721 #
722 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
723 # (SSL/TLS/DTLS) processing
724 #
725 # In some environments, certain algorithms or key lengths may be undesirable
726 # when using SSL/TLS/DTLS. This section describes the mechanism for disabling
727 # algorithms during SSL/TLS/DTLS security parameters negotiation, including
728 # protocol version negotiation, cipher suites selection, peer authentication
729 # and key exchange mechanisms.
730 #
731 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
732 # if they are enabled explicitly in an application.
733 #
734 # For PKI-based peer authentication and key exchange mechanisms, this list
735 # of disabled algorithms will also be checked during certification path
736 # building and validation, including algorithms used in certificates, as
737 # well as revocation information such as CRLs and signed OCSP Responses.
738 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
739 #
740 # See the specification of "jdk.certpath.disabledAlgorithms" for the
741 # syntax of the disabled algorithm string.
742 #
743 # Note: The algorithm restrictions do not apply to trust anchors or
744 # self-signed certificates.
745 #
746 # Note: This property is currently used by the JDK Reference implementation.
747 # It is not guaranteed to be examined and used by other implementations.
748 #
749 # Example:
750 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
751 jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
752 DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
753 include jdk.disabled.namedCurves
754
755 #
756 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
757 # processing in JSSE implementation.
758 #
759 # In some environments, a certain algorithm may be undesirable but it
760 # cannot be disabled because of its use in legacy applications. Legacy
761 # algorithms may still be supported, but applications should not use them
762 # as the security strength of legacy algorithms are usually not strong enough
763 # in practice.
764 #
765 # During SSL/TLS security parameters negotiation, legacy algorithms will
766 # not be negotiated unless there are no other candidates.
767 #
768 # The syntax of the legacy algorithms string is described as this Java
769 # BNF-style:
770 # LegacyAlgorithms:
775 #
776 # See the specification of security property "jdk.certpath.disabledAlgorithms"
777 # for the syntax and description of the "AlgorithmName" notation.
778 #
779 # Per SSL/TLS specifications, cipher suites have the form:
780 # SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
781 # or
782 # TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
783 #
784 # For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
785 # key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
786 # mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
787 # algorithm for HMAC.
788 #
789 # The LegacyAlgorithm can be one of the following standard algorithm names:
790 # 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
791 # 2. JSSE key exchange algorithm name, e.g., RSA
792 # 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
793 # 4. JSSE message digest algorithm name, e.g., SHA
794 #
795 # See SSL/TLS specifications and "Java Cryptography Architecture Standard
796 # Algorithm Name Documentation" for information about the algorithm names.
797 #
798 # Note: If a legacy algorithm is also restricted through the
799 # jdk.tls.disabledAlgorithms property or the
800 # java.security.AlgorithmConstraints API (See
801 # javax.net.ssl.SSLParameters.setAlgorithmConstraints()),
802 # then the algorithm is completely disabled and will not be negotiated.
803 #
804 # Note: This property is currently used by the JDK Reference implementation.
805 # It is not guaranteed to be examined and used by other implementations.
806 # There is no guarantee the property will continue to exist or be of the
807 # same syntax in future releases.
808 #
809 # Example:
810 # jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
811 #
812 jdk.tls.legacyAlgorithms= \
813 K_NULL, C_NULL, M_NULL, \
814 DH_anon, ECDH_anon, \
815 RC4_128, RC4_40, DES_CBC, DES40_CBC, \
816 3DES_EDE_CBC
|
543 #
544 # Operator:
545 # <= | < | == | != | >= | >
546 #
547 # KeyLength:
548 # Integer value of the algorithm's key length in bits
549 #
550 # CAConstraint:
551 # jdkCA
552 #
553 # DenyAfterConstraint:
554 # denyAfter YYYY-MM-DD
555 #
556 # UsageConstraint:
557 # usage [TLSServer] [TLSClient] [SignedJAR]
558 #
559 # IncludeProperty:
560 # include <security property>
561 #
562 # The "AlgorithmName" is the standard algorithm name of the disabled
563 # algorithm. See the Java Security Standard Algorithm Names Specification
564 # for information about Standard Algorithm Names. Matching is
565 # performed using a case-insensitive sub-element matching rule. (For
566 # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
567 # "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
568 # sub-element of the certificate algorithm name, the algorithm will be
569 # rejected during certification path building and validation. For example,
570 # the assertion algorithm name "DSA" will disable all certificate algorithms
571 # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
572 # will not disable algorithms related to "ECDSA".
573 #
574 # The "IncludeProperty" allows a implementation-defined security property that
575 # can be included in the disabledAlgorithms properties. These properties are
576 # to help manage common actions easier across multiple disabledAlgorithm
577 # properties.
578 # There is one defined security property: jdk.disabled.NamedCurves
579 # See the property for more specific details.
580 #
581 #
582 # A "Constraint" defines restrictions on the keys and/or certificates for
583 # a specified AlgorithmName:
584 #
585 # KeySizeConstraint:
708 #
709 # KeyLength:
710 # Integer value of the algorithm's key length in bits
711 #
712 # Note: This property is currently used by the JDK Reference
713 # implementation. It is not guaranteed to be examined and used by other
714 # implementations.
715 #
716 # See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
717 #
718 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
719 DSA keySize < 1024, include jdk.disabled.namedCurves
720
721 #
722 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
723 # (SSL/TLS/DTLS) processing
724 #
725 # In some environments, certain algorithms or key lengths may be undesirable
726 # when using SSL/TLS/DTLS. This section describes the mechanism for disabling
727 # algorithms during SSL/TLS/DTLS security parameters negotiation, including
728 # protocol version negotiation, cipher suites selection, named groups
729 # selection, signature schemes selection, peer authentication and key
730 # exchange mechanisms.
731 #
732 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
733 # if they are enabled explicitly in an application.
734 #
735 # For PKI-based peer authentication and key exchange mechanisms, this list
736 # of disabled algorithms will also be checked during certification path
737 # building and validation, including algorithms used in certificates, as
738 # well as revocation information such as CRLs and signed OCSP Responses.
739 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
740 #
741 # See the specification of "jdk.certpath.disabledAlgorithms" for the
742 # syntax of the disabled algorithm string.
743 #
744 # Note: The algorithm restrictions do not apply to trust anchors or
745 # self-signed certificates.
746 #
747 # Note: This property is currently used by the JDK Reference implementation.
748 # It is not guaranteed to be examined and used by other implementations.
749 #
750 # Example:
751 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
752 # rsa_pkcs1_sha1, secp224r1
753 jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
754 DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
755 include jdk.disabled.namedCurves
756
757 #
758 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
759 # processing in JSSE implementation.
760 #
761 # In some environments, a certain algorithm may be undesirable but it
762 # cannot be disabled because of its use in legacy applications. Legacy
763 # algorithms may still be supported, but applications should not use them
764 # as the security strength of legacy algorithms are usually not strong enough
765 # in practice.
766 #
767 # During SSL/TLS security parameters negotiation, legacy algorithms will
768 # not be negotiated unless there are no other candidates.
769 #
770 # The syntax of the legacy algorithms string is described as this Java
771 # BNF-style:
772 # LegacyAlgorithms:
777 #
778 # See the specification of security property "jdk.certpath.disabledAlgorithms"
779 # for the syntax and description of the "AlgorithmName" notation.
780 #
781 # Per SSL/TLS specifications, cipher suites have the form:
782 # SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
783 # or
784 # TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
785 #
786 # For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
787 # key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
788 # mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
789 # algorithm for HMAC.
790 #
791 # The LegacyAlgorithm can be one of the following standard algorithm names:
792 # 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
793 # 2. JSSE key exchange algorithm name, e.g., RSA
794 # 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
795 # 4. JSSE message digest algorithm name, e.g., SHA
796 #
797 # See SSL/TLS specifications and the Java Security Standard Algorithm Names
798 # Specification for information about the algorithm names.
799 #
800 # Note: If a legacy algorithm is also restricted through the
801 # jdk.tls.disabledAlgorithms property or the
802 # java.security.AlgorithmConstraints API (See
803 # javax.net.ssl.SSLParameters.setAlgorithmConstraints()),
804 # then the algorithm is completely disabled and will not be negotiated.
805 #
806 # Note: This property is currently used by the JDK Reference implementation.
807 # It is not guaranteed to be examined and used by other implementations.
808 # There is no guarantee the property will continue to exist or be of the
809 # same syntax in future releases.
810 #
811 # Example:
812 # jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
813 #
814 jdk.tls.legacyAlgorithms= \
815 K_NULL, C_NULL, M_NULL, \
816 DH_anon, ECDH_anon, \
817 RC4_128, RC4_40, DES_CBC, DES40_CBC, \
818 3DES_EDE_CBC
|