java.security-macosx revision 6151
8dc5aa056a586ffa920a6ecd5c31048702371ea6brianp# This is the "master security properties file".
e8e8ab3cbc3d90f15eb78e094c381a6e908fd6efjerenkrantz# In this file, various security properties are set for use by
e8e8ab3cbc3d90f15eb78e094c381a6e908fd6efjerenkrantz# java.security classes. This is where users can statically register
f4c472b8dce3c2e559232dbb5b27ed2466922ea4jerenkrantz# Cryptography Package Providers ("providers" for short). The term
f4c472b8dce3c2e559232dbb5b27ed2466922ea4jerenkrantz# "provider" refers to a package or set of packages that supply a
8dc5aa056a586ffa920a6ecd5c31048702371ea6brianp# concrete implementation of a subset of the cryptography aspects of
8dc5aa056a586ffa920a6ecd5c31048702371ea6brianp# the Java Security API. A provider may, for example, implement one or
8dc5aa056a586ffa920a6ecd5c31048702371ea6brianp# more digital signature algorithms or message digest algorithms.
7e31ef4870c7ef94838585004405e8854fefcc51ianh# Each provider must implement a subclass of the Provider class.
7e31ef4870c7ef94838585004405e8854fefcc51ianh# To register a provider in this master security properties file,
7e31ef4870c7ef94838585004405e8854fefcc51ianh# specify the Provider subclass name and priority in the format
bd496a3a7752a55c849e62ed00cacc492d4f6d3erederpj# security.provider.<n>=<className>
bd496a3a7752a55c849e62ed00cacc492d4f6d3erederpj# This declares a provider, and specifies its preference
bd496a3a7752a55c849e62ed00cacc492d4f6d3erederpj# order n. The preference order is the order in which providers are
bd496a3a7752a55c849e62ed00cacc492d4f6d3erederpj# searched for requested algorithms (when no specific provider is
a8c401eadf77822e851f19c7740e7ec6dca03daastoddard# requested). The order is 1-based; 1 is the most preferred, followed
a8c401eadf77822e851f19c7740e7ec6dca03daastoddard# by 2, and so on.
a8c401eadf77822e851f19c7740e7ec6dca03daastoddard# <className> must specify the subclass of the Provider class whose
93d7153aa172665f55b04463b831ad556269c3efbrianp# constructor sets the values of various properties that are required
791781f2ccc1f1f1bc1b1643861d3da23edfd147jerenkrantz# for the Java Security API to look up the algorithms or other
791781f2ccc1f1f1bc1b1643861d3da23edfd147jerenkrantz# facilities implemented by the provider.
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz# There must be at least one provider specification in java.security.
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz# There is a default provider that comes standard with the JDK. It
2ffa5829cad36f12b0a1fc3481592e85bc210a5bjerenkrantz# is called the "SUN" provider, and its Provider subclass
2ffa5829cad36f12b0a1fc3481592e85bc210a5bjerenkrantz# named Sun appears in the sun.security.provider package. Thus, the
2ffa5829cad36f12b0a1fc3481592e85bc210a5bjerenkrantz# "SUN" provider is registered via the following:
02e8590d904653a95eca31bdf8e60866642bb592slive# (The number 1 is used for the default provider.)
a97c4ce2bea3dbf8ddc82c796cf93aa6b46765a4brianp# Note: Providers can be dynamically registered instead by calls to
a97c4ce2bea3dbf8ddc82c796cf93aa6b46765a4brianp# either the addProvider or insertProviderAt method in the Security
435d2db95b905b0d16d35410e18ff77dc39688aabrianp# List of providers and their preference orders (see above):
964f539e766a3301b3e2f767baeffddcf9f6092bjerenkrantzsecurity.provider.4=com.sun.net.ssl.internal.ssl.Provider
964f539e766a3301b3e2f767baeffddcf9f6092bjerenkrantzsecurity.provider.5=com.sun.crypto.provider.SunJCE
964f539e766a3301b3e2f767baeffddcf9f6092bjerenkrantzsecurity.provider.6=sun.security.jgss.SunProvider
5e538c6ced13aa2f7c358e1a44f651d31dd5fab8brianpsecurity.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
61202a45487668abad788c02e339f626176e645fianh# Select the source of seed data for SecureRandom. By default an
02c49e1f35a4d1a171df2d319e76af0c5163dc4dmartin# attempt is made to use the entropy gathering device specified by
02c49e1f35a4d1a171df2d319e76af0c5163dc4dmartin# the securerandom.source property. If an exception occurs when
02c49e1f35a4d1a171df2d319e76af0c5163dc4dmartin# accessing the URL then the traditional system/thread activity
6deb8bcfb8511ac38243a8274fc589842841b398ianh# algorithm is used.
6deb8bcfb8511ac38243a8274fc589842841b398ianh# On Solaris and Linux systems, if file:/dev/urandom is specified and it
49bbbd1939208be54a3eb00b95e61d90d180a606ianh# exists, a special SecureRandom implementation is activated by default.
49bbbd1939208be54a3eb00b95e61d90d180a606ianh# This "NativePRNG" reads random bytes directly from /dev/urandom.
93d7153aa172665f55b04463b831ad556269c3efbrianp# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
93d7153aa172665f55b04463b831ad556269c3efbrianp# enables use of the Microsoft CryptoAPI seed functionality.
bc6600a6207e5d15b895294e370e4e3320a803d8stoddard# The entropy gathering device is described as a URL and can also
bc6600a6207e5d15b895294e370e4e3320a803d8stoddard# be specified with the system property "java.security.egd". For example,
bc6600a6207e5d15b895294e370e4e3320a803d8stoddard# Specifying this system property will override the securerandom.source
5c214a63f9722864ac4983995da11353779515dbrederpj# Class to instantiate as the javax.security.auth.login.Configuration
5c214a63f9722864ac4983995da11353779515dbrederpjlogin.configuration.provider=com.sun.security.auth.login.ConfigFile
9f20717d827f2113a23dfa45539813171cf626eaianh# Default login configuration file
a0db2f093595083300ad3438314f90921405ccf9wrowe#login.config.url.1=file:${user.home}/.java.login.config
c66798efb2184ecf904cd8471acd17e65688b1caianh# Class to instantiate as the system Policy. This is the name of the class
c66798efb2184ecf904cd8471acd17e65688b1caianh# that will be used as the Policy object.
fb59f85aab19883025f619727948b8088232cc4brederpj# The default is to have a single system-wide policy file,
1a1cf0ee9229ee29e5750b25dd94dbb9b04072cfianh# and a policy file in the user's home directory.
61afed048a4d67ed923d52e5c865c0f10a8e9e73trawick# whether or not we expand properties in the policy file
0bbb249eafe9ef9508821f0ef58e7440625ecd62trawick# if this is set to false, properties (${...}) will not be expanded in policy
7a23067e782dd5612d4d4b539906e1733b664df7jwoolley# whether or not we allow an extra policy to be passed on the command line
7a23067e782dd5612d4d4b539906e1733b664df7jwoolley# with -Djava.security.policy=somefile. Comment out this line to disable
7a23067e782dd5612d4d4b539906e1733b664df7jwoolley# this feature.
6032a7c97a25c52f4bdd78ce23f2010e52c9e81arederpj# whether or not we look into the IdentityScope for trusted Identities
ba2e14e474516f1c75a96b4f6d1a9dec332175efianh# when encountering a 1.1 signed JAR file. If the identity is found
ba2e14e474516f1c75a96b4f6d1a9dec332175efianh# and is trusted, we grant it AllPermission.
f0791c5bdfd36969d292a4092df076aa6d1c34ccwrowe# Default keystore type.
ec69fc6e323eb1f3112966e06e9e37be608d052cianh# List of comma-separated packages that start with or equal this string
ec69fc6e323eb1f3112966e06e9e37be608d052cianh# will cause a security exception to be thrown when
e7bf4d6f15d04e86e20002e65f60d7fbf80e5974stoddard# passed to checkPackageAccess unless the
e7bf4d6f15d04e86e20002e65f60d7fbf80e5974stoddard# corresponding RuntimePermission ("accessClassInPackage."+package) has
8ab933f1df663f95c27e2ce5772127d4f3a10e0bstriker# been granted.
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe# List of comma-separated packages that start with or equal this string
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe# will cause a security exception to be thrown when
268ac122b1fd6fa948b30bdf0d8c0d80e75d68dawrowe# passed to checkPackageDefinition unless the
268ac122b1fd6fa948b30bdf0d8c0d80e75d68dawrowe# corresponding RuntimePermission ("defineClassInPackage."+package) has
268ac122b1fd6fa948b30bdf0d8c0d80e75d68dawrowe# been granted.
268ac122b1fd6fa948b30bdf0d8c0d80e75d68dawrowe# by default, none of the class loaders supplied with the JDK call
268ac122b1fd6fa948b30bdf0d8c0d80e75d68dawrowe# checkPackageDefinition.
c51f2b89da23e3371959a74808dee1792d96f5c1wsanchez# Determines whether this properties file can be appended to
c51f2b89da23e3371959a74808dee1792d96f5c1wsanchez# or overridden on the command line via -Djava.security.properties
79c9b0ac498d97336874edba0daf9f544ad14671trawick# Determines the default key and trust manager factory algorithms for
79c9b0ac498d97336874edba0daf9f544ad14671trawick# the javax.net.ssl package.
5a70e5b66eb7758d0e64e070211f699fc83fca70wrowe# The Java-level namelookup cache policy for successful lookups:
5a70e5b66eb7758d0e64e070211f699fc83fca70wrowe# any negative value: caching forever
84eeb0ab12215fc22577a9a0a9589cea2a445712trawick# any positive value: the number of seconds to cache an address for
84eeb0ab12215fc22577a9a0a9589cea2a445712trawick# zero: do not cache
1d3fbd2d9f03c0826977d940a2081401edf522d4jerenkrantz# default value is forever (FOREVER). For security reasons, this
b5cc0253789825ace46944dc9cde744be08dd77fjerenkrantz# caching is made forever when a security manager is set. When a security
b5cc0253789825ace46944dc9cde744be08dd77fjerenkrantz# manager is not set, the default behavior in this implementation
e4bb84f3c11f282d3ba66f64940b1b8e13f85e7aslive# is to cache for 30 seconds.
e4bb84f3c11f282d3ba66f64940b1b8e13f85e7aslive# NOTE: setting this to anything other than the default value can have
e4bb84f3c11f282d3ba66f64940b1b8e13f85e7aslive# serious security implications. Do not set it unless
e4bb84f3c11f282d3ba66f64940b1b8e13f85e7aslive# you are sure you are not exposed to DNS spoofing attack.
ba2bab42e97405dc41c0f8fe3416f7f9a79ed7a9brianp# The Java-level namelookup cache policy for failed lookups:
756b54396a86db555817bb52149d91b60d00e35fwrowe# any negative value: cache forever
756b54396a86db555817bb52149d91b60d00e35fwrowe# any positive value: the number of seconds to cache negative lookup results
756b54396a86db555817bb52149d91b60d00e35fwrowe# zero: do not cache
b4251d1fbef86f96e01c68f8de086e0dbb8bcb74trawick# In some Microsoft Windows networking environments that employ
b4251d1fbef86f96e01c68f8de086e0dbb8bcb74trawick# the WINS name service in addition to DNS, name service lookups
b4251d1fbef86f96e01c68f8de086e0dbb8bcb74trawick# that fail may take a noticeably long time to return (approx. 5 seconds).
24efed0910118b762a4eb84830875d4714b8d315ianh# For this reason the default caching policy is to maintain these
24efed0910118b762a4eb84830875d4714b8d315ianh# results for 10 seconds.
bdbafc44d060509e86f0cc56ff4d19579438f846striker# Properties to configure OCSP for certificate revocation checking
bdbafc44d060509e86f0cc56ff4d19579438f846striker# Enable OCSP
6d0ec39a3ef89ce485f23008efa399b7b35bf1fdjwoolley# By default, OCSP is not used for certificate revocation checking.
6d0ec39a3ef89ce485f23008efa399b7b35bf1fdjwoolley# This property enables the use of OCSP when set to the value "true".
6d0ec39a3ef89ce485f23008efa399b7b35bf1fdjwoolley# NOTE: SocketPermission is required to connect to an OCSP responder.
6b87b6eee6a43f40ef6bead9ef3173979b4cd76crbb# Location of the OCSP responder
6b87b6eee6a43f40ef6bead9ef3173979b4cd76crbb# By default, the location of the OCSP responder is determined implicitly
6b87b6eee6a43f40ef6bead9ef3173979b4cd76crbb# from the certificate being validated. This property explicitly specifies
6b87b6eee6a43f40ef6bead9ef3173979b4cd76crbb# the location of the OCSP responder. The property is used when the
bfd2cedbf2918fcb95daa9f850ecdf5e24765c22jerenkrantz# Authority Information Access extension (defined in RFC 3280) is absent
bfd2cedbf2918fcb95daa9f850ecdf5e24765c22jerenkrantz# from the certificate or when it requires overriding.
a250599aab6669d5877edf158032efd2538e5820trawick# Subject name of the OCSP responder's certificate
a250599aab6669d5877edf158032efd2538e5820trawick# By default, the certificate of the OCSP responder is that of the issuer
41338e6ead3fa8d60ad3841d069f4b47e71d9177wrowe# of the certificate being validated. This property identifies the certificate
41338e6ead3fa8d60ad3841d069f4b47e71d9177wrowe# of the OCSP responder when the default does not apply. Its value is a string
41338e6ead3fa8d60ad3841d069f4b47e71d9177wrowe# distinguished name (defined in RFC 2253) which identifies a certificate in
41338e6ead3fa8d60ad3841d069f4b47e71d9177wrowe# the set of certificates supplied during cert path validation. In cases where
92b0ffb9cbc04b3d9c7ce6becadc0c3d88dea2d9wrowe# the subject name alone is not sufficient to uniquely identify the certificate
92b0ffb9cbc04b3d9c7ce6becadc0c3d88dea2d9wrowe# then both the "ocsp.responderCertIssuerName" and
92b0ffb9cbc04b3d9c7ce6becadc0c3d88dea2d9wrowe# "ocsp.responderCertSerialNumber" properties must be used instead. When this
961ff00a8f1fe79a8ac8b18617b40a404e28cb35brianp# property is set then those two properties are ignored.
92b0ffb9cbc04b3d9c7ce6becadc0c3d88dea2d9wrowe# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe# Issuer name of the OCSP responder's certificate
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe# By default, the certificate of the OCSP responder is that of the issuer
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe# of the certificate being validated. This property identifies the certificate
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe# of the OCSP responder when the default does not apply. Its value is a string
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe# distinguished name (defined in RFC 2253) which identifies a certificate in
c43fd8f8f90a7549bffe1e581eedbd087db1163estoddard# the set of certificates supplied during cert path validation. When this
c43fd8f8f90a7549bffe1e581eedbd087db1163estoddard# property is set then the "ocsp.responderCertSerialNumber" property must also
c43fd8f8f90a7549bffe1e581eedbd087db1163estoddard# be set. When the "ocsp.responderCertSubjectName" property is set then this
a8dda281113c5038945423320d8c9b42e3d1ddb1jwoolley# property is ignored.
854cc4d3451547c2359c27870a3c354ad385a49bianh# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
02ec77ed8e15b4b601de98a322e4bd8d7d3e1ec2trawick# Serial number of the OCSP responder's certificate
49ada1eac7c4cae429ba193273b7f40f355d9c7ejwoolley# By default, the certificate of the OCSP responder is that of the issuer
49ada1eac7c4cae429ba193273b7f40f355d9c7ejwoolley# of the certificate being validated. This property identifies the certificate
88425bd3442321915195ac9dfa9a80ffcd968fa4brianp# of the OCSP responder when the default does not apply. Its value is a string
88425bd3442321915195ac9dfa9a80ffcd968fa4brianp# of hexadecimal digits (colon or space separators may be present) which
88425bd3442321915195ac9dfa9a80ffcd968fa4brianp# identifies a certificate in the set of certificates supplied during cert path
88425bd3442321915195ac9dfa9a80ffcd968fa4brianp# validation. When this property is set then the "ocsp.responderCertIssuerName"
a8dda281113c5038945423320d8c9b42e3d1ddb1jwoolley# property must also be set. When the "ocsp.responderCertSubjectName" property
a8dda281113c5038945423320d8c9b42e3d1ddb1jwoolley# is set then this property is ignored.
bf3d1782a29630335a1df535eb395355ab1cd154jwoolley# Policy for failed Kerberos KDC lookups:
da16bea08c6ff10ceb8d250ff23e8e81a372cef8jwoolley# When a KDC is unavailable (network error, service failure, etc), it is
da16bea08c6ff10ceb8d250ff23e8e81a372cef8jwoolley# put inside a blacklist and accessed less often for future requests. The
99f692732327e0c200fd639105dbf9940bd229f1rbb# value (case-insensitive) for this policy can be:
80f73246cc14f02d50bfac5306c079464c2dd1c6rbb# KDCs in the blacklist are always tried after those not on the list.
80f73246cc14f02d50bfac5306c079464c2dd1c6rbb# tryLess[:max_retries,timeout]
80f73246cc14f02d50bfac5306c079464c2dd1c6rbb# KDCs in the blacklist are still tried by their order in the configuration,
80f73246cc14f02d50bfac5306c079464c2dd1c6rbb# but with smaller max_retries and timeout values. max_retries and timeout
dcdc78fce34f06533df4829abbc726f7fbf207fejwoolley# are optional numerical parameters (default 1 and 5000, which means once
dcdc78fce34f06533df4829abbc726f7fbf207fejwoolley# and 5 seconds). Please notes that if any of the values defined here is
dcdc78fce34f06533df4829abbc726f7fbf207fejwoolley# more than what is defined in krb5.conf, it will be ignored.
d4a93d608a28bf331625544a2896fa20bef4a2b4rbb# Whenever a KDC is detected as available, it is removed from the blacklist.
d4a93d608a28bf331625544a2896fa20bef4a2b4rbb# The blacklist is reset when krb5.conf is reloaded. You can add
d4a93d608a28bf331625544a2896fa20bef4a2b4rbb# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
d4a93d608a28bf331625544a2896fa20bef4a2b4rbb# reloaded whenever a JAAS authentication is attempted.
4b34d6a5b70303010612df6c87da3ee91ae86078rbb# krb5.kdc.bad.policy = tryLess:2,2000
4b34d6a5b70303010612df6c87da3ee91ae86078rbb# Algorithm restrictions for certification path (CertPath) processing
4b34d6a5b70303010612df6c87da3ee91ae86078rbb# In some environments, certain algorithms or key lengths may be undesirable
4b34d6a5b70303010612df6c87da3ee91ae86078rbb# for certification path building and validation. For example, "MD2" is
44d971eef4337ad80ba3d360c84ffa8188d50325trawick# generally no longer considered to be a secure hash algorithm. This section
84bdb86d57d2a2f828b17e77ac2379fed551c2adtrawick# describes the mechanism for disabling algorithms based on algorithm name
84bdb86d57d2a2f828b17e77ac2379fed551c2adtrawick# and/or key length. This includes algorithms used in certificates, as well
84bdb86d57d2a2f828b17e77ac2379fed551c2adtrawick# as revocation information such as CRLs and signed OCSP Responses.
46603605c2edcc1cc84fa45634e19a395134078atrawick# The syntax of the disabled algorithm string is described as this Java
46603605c2edcc1cc84fa45634e19a395134078atrawick# BNF-style:
46603605c2edcc1cc84fa45634e19a395134078atrawick# DisabledAlgorithms:
46603605c2edcc1cc84fa45634e19a395134078atrawick# " DisabledAlgorithm { , DisabledAlgorithm } "
86826d685f83170ca07d56550db9f0c2922a916btrawick# DisabledAlgorithm:
86826d685f83170ca07d56550db9f0c2922a916btrawick# AlgorithmName [Constraint]
86826d685f83170ca07d56550db9f0c2922a916btrawick# AlgorithmName:
4f412c60e9c2af999619d11b236068a0e0e94944trawick# (see below)
4f412c60e9c2af999619d11b236068a0e0e94944trawick# Constraint:
4f6effa17a5084085c9104b0bb97c2ba1622cfa6jerenkrantz# KeySizeConstraint
4f6effa17a5084085c9104b0bb97c2ba1622cfa6jerenkrantz# KeySizeConstraint:
4f6effa17a5084085c9104b0bb97c2ba1622cfa6jerenkrantz# keySize Operator DecimalInteger
bfa5c37259833629155d486bb1571d39a57de64dbnicholes# <= | < | == | != | >= | >
a946a7e607c21cf6068e7380d7e81cc2bf027913trawick# DecimalInteger:
da16bea08c6ff10ceb8d250ff23e8e81a372cef8jwoolley# DecimalDigits
c88a70518d7d0b5bccb22a68d446c2d6589790dcjwoolley# DecimalDigits:
e59e4b703b7e19c4b35030e4baac8a96a8d4b504dougm# DecimalDigit {DecimalDigit}
e59e4b703b7e19c4b35030e4baac8a96a8d4b504dougm# DecimalDigit: one of
e59e4b703b7e19c4b35030e4baac8a96a8d4b504dougm# 1 2 3 4 5 6 7 8 9 0
5717c6b0b97a065a84fba32cebeee959a5fe4f15dougm# The "AlgorithmName" is the standard algorithm name of the disabled
5717c6b0b97a065a84fba32cebeee959a5fe4f15dougm# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
5717c6b0b97a065a84fba32cebeee959a5fe4f15dougm# Documentation" for information about Standard Algorithm Names. Matching
5717c6b0b97a065a84fba32cebeee959a5fe4f15dougm# is performed using a case-insensitive sub-element matching rule. (For
5717c6b0b97a065a84fba32cebeee959a5fe4f15dougm# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
835836eaf9e2a23192a262307b08f626e50e2180trawick# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
835836eaf9e2a23192a262307b08f626e50e2180trawick# sub-element of the certificate algorithm name, the algorithm will be
835836eaf9e2a23192a262307b08f626e50e2180trawick# rejected during certification path building and validation. For example,
81dddb023f9dd43b350f782972c1f75a88a2d93ftrawick# the assertion algorithm name "DSA" will disable all certificate algorithms
81dddb023f9dd43b350f782972c1f75a88a2d93ftrawick# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
81dddb023f9dd43b350f782972c1f75a88a2d93ftrawick# will not disable algorithms related to "ECDSA".
9b9e0eca165f5f464e357bb2a9b8bbfc9621067cwrowe# A "Constraint" provides further guidance for the algorithm being specified.
9b9e0eca165f5f464e357bb2a9b8bbfc9621067cwrowe# The "KeySizeConstraint" requires a key of a valid size range if the
9b9e0eca165f5f464e357bb2a9b8bbfc9621067cwrowe# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
9b9e0eca165f5f464e357bb2a9b8bbfc9621067cwrowe# key size specified in number of bits. For example, "RSA keySize <= 1024"
9b9e0eca165f5f464e357bb2a9b8bbfc9621067cwrowe# indicates that any RSA key with key size less than or equal to 1024 bits
b26781e595625911fc8fc8215133ad2285ed75d8jim# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
b26781e595625911fc8fc8215133ad2285ed75d8jim# that any RSA key with key size less than 1024 or greater than 2048 should
b26781e595625911fc8fc8215133ad2285ed75d8jim# be disabled. Note that the "KeySizeConstraint" only makes sense to key
5117466ef123b1efbc2feba168f37069ef6f230bianh# algorithms.
5117466ef123b1efbc2feba168f37069ef6f230bianh# Note: This property is currently used by Oracle's PKIX implementation. It
9c39f8fb982df4dbce5304e49385568e6d35bfa8trawick# is not guaranteed to be examined and used by other implementations.
9c39f8fb982df4dbce5304e49385568e6d35bfa8trawick# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
bdd4aa13a97de79596cd19708f1516e8fa92700ewrowejdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
bdd4aa13a97de79596cd19708f1516e8fa92700ewrowe# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
1d50c90ddb7e3d144ec8a2bd848ca1e7bbf8e534bnicholes# (SSL/TLS) processing
bdd4aa13a97de79596cd19708f1516e8fa92700ewrowe# In some environments, certain algorithms or key lengths may be undesirable
1d50c90ddb7e3d144ec8a2bd848ca1e7bbf8e534bnicholes# when using SSL/TLS. This section describes the mechanism for disabling
1d50c90ddb7e3d144ec8a2bd848ca1e7bbf8e534bnicholes# algorithms during SSL/TLS security parameters negotiation, including cipher
24e361af20a3107dc934b4895911ce6bcce0603ejwoolley# suites selection, peer authentication and key exchange mechanisms.
24e361af20a3107dc934b4895911ce6bcce0603ejwoolley# For PKI-based peer authentication and key exchange mechanisms, this list
4657f9b12af4b123b80e15c73fa03c190e47a8bftrawick# of disabled algorithms will also be checked during certification path
4657f9b12af4b123b80e15c73fa03c190e47a8bftrawick# building and validation, including algorithms used in certificates, as
4657f9b12af4b123b80e15c73fa03c190e47a8bftrawick# well as revocation information such as CRLs and signed OCSP Responses.
4657f9b12af4b123b80e15c73fa03c190e47a8bftrawick# This is in addition to the jdk.certpath.disabledAlgorithms property above.
c36bac9a918f59b2dbf5dcd7d67b50c1da04c89drbb# See the specification of "jdk.certpath.disabledAlgorithms" for the
c36bac9a918f59b2dbf5dcd7d67b50c1da04c89drbb# syntax of the disabled algorithm string.
c36bac9a918f59b2dbf5dcd7d67b50c1da04c89drbb# Note: This property is currently used by Oracle's JSSE implementation.
c36bac9a918f59b2dbf5dcd7d67b50c1da04c89drbb# It is not guaranteed to be examined and used by other implementations.
ad668861e40da485f2eea24dc4c1f9940e470698rbb# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048