java.security-solaris revision 3006
80833bb9a1bf25dcf19e814438a4b311d2e1f4cffuankg# This is the "master security properties file".
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# In this file, various security properties are set for use by
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# java.security classes. This is where users can statically register
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# Cryptography Package Providers ("providers" for short). The term
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# "provider" refers to a package or set of packages that supply a
4da61833a1cbbca94094f9653fd970582b97a72etrawick# concrete implementation of a subset of the cryptography aspects of
4da61833a1cbbca94094f9653fd970582b97a72etrawick# the Java Security API. A provider may, for example, implement one or
4da61833a1cbbca94094f9653fd970582b97a72etrawick# more digital signature algorithms or message digest algorithms.
4da61833a1cbbca94094f9653fd970582b97a72etrawick# Each provider must implement a subclass of the Provider class.
4789804be088bcd86ae637a29cdb7fda25169521jailletc# To register a provider in this master security properties file,
4789804be088bcd86ae637a29cdb7fda25169521jailletc# specify the Provider subclass name and priority in the format
4789804be088bcd86ae637a29cdb7fda25169521jailletc# security.provider.<n>=<className>
e50c3026198fd496f183cda4c32a202925476778covener# This declares a provider, and specifies its preference
e50c3026198fd496f183cda4c32a202925476778covener# order n. The preference order is the order in which providers are
5b88c8507d5ef6d0c4cfbc78230294968175b638minfrin# searched for requested algorithms (when no specific provider is
5b88c8507d5ef6d0c4cfbc78230294968175b638minfrin# requested). The order is 1-based; 1 is the most preferred, followed
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic# by 2, and so on.
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic# <className> must specify the subclass of the Provider class whose
4f29b65ab4b547ad5dbe506e2d0ff5d12ead9247ylavic# constructor sets the values of various properties that are required
4f29b65ab4b547ad5dbe506e2d0ff5d12ead9247ylavic# for the Java Security API to look up the algorithms or other
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic# facilities implemented by the provider.
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic# There must be at least one provider specification in java.security.
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic# There is a default provider that comes standard with the JDK. It
69301145375a889e7e37caf7cc7321ac0f91801erpluem# is called the "SUN" provider, and its Provider subclass
69301145375a889e7e37caf7cc7321ac0f91801erpluem# named Sun appears in the sun.security.provider package. Thus, the
69301145375a889e7e37caf7cc7321ac0f91801erpluem# "SUN" provider is registered via the following:
506bfe33206b2fece40ef25f695af39dd4130facjkaluza# (The number 1 is used for the default provider.)
d58a848a016d401b965111e50ef829e1641f7834minfrin# Note: Providers can be dynamically registered instead by calls to
d58a848a016d401b965111e50ef829e1641f7834minfrin# either the addProvider or insertProviderAt method in the Security
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic# List of providers and their preference orders (see above):
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavicsecurity.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/sunpkcs11-solaris.cfg
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavicsecurity.provider.5=com.sun.net.ssl.internal.ssl.Provider
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavicsecurity.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic# Select the source of seed data for SecureRandom. By default an
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener# attempt is made to use the entropy gathering device specified by
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener# the securerandom.source property. If an exception occurs when
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener# accessing the URL then the traditional system/thread activity
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener# algorithm is used.
44ff304057225e944e220e981d434a046d14cf06covener# On Solaris and Linux systems, if file:/dev/urandom is specified and it
44ff304057225e944e220e981d434a046d14cf06covener# exists, a special SecureRandom implementation is activated by default.
44ff304057225e944e220e981d434a046d14cf06covener# This "NativePRNG" reads random bytes directly from /dev/urandom.
5d1ba75b8794925e67591c209085a49279791de9covener# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
5d1ba75b8794925e67591c209085a49279791de9covener# enables use of the Microsoft CryptoAPI seed functionality.
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand# The entropy gathering device is described as a URL and can also
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand# be specified with the system property "java.security.egd". For example,
caad2986f81ab263f7af41467dd622dc9add17f3ylavic# Specifying this system property will override the securerandom.source
f7317ff316c2b141feea31bddb74d5d3fa1584edjorton# Class to instantiate as the javax.security.auth.login.Configuration
a34684a59b60a4173c25035d0c627ef17e6dc215rpluemlogin.configuration.provider=com.sun.security.auth.login.ConfigFile
1e2d421a36999d292042a5539971070d54aa6c63ylavic# Default login configuration file
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh#login.config.url.1=file:${user.home}/.java.login.config
0b67eb8568cd58bb77082703951679b42cf098actrawick# Class to instantiate as the system Policy. This is the name of the class
0b67eb8568cd58bb77082703951679b42cf098actrawick# that will be used as the Policy object.
fb1985a97912b25ec6564c73e610a31e5fc6e25fcovener# The default is to have a single system-wide policy file,
09c87c777bed1655621bb20e1c46cb6b1a63279dcovener# and a policy file in the user's home directory.
6502b7b32f980cc2093bb3ebce37e5e4dc68fba4ylavicpolicy.url.1=file:${java.home}/lib/security/java.policy
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic# whether or not we expand properties in the policy file
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic# if this is set to false, properties (${...}) will not be expanded in policy
e466c40e1801982602ee0200c9e8b61cc148742djailletc# whether or not we allow an extra policy to be passed on the command line
e466c40e1801982602ee0200c9e8b61cc148742djailletc# with -Djava.security.policy=somefile. Comment out this line to disable
457468b82e59d01eba00dd9d0817309c8f5e414ejim# this feature.
04983e3bd1754764eec7d6bb772fe3b0bf391771jorton# whether or not we look into the IdentityScope for trusted Identities
04983e3bd1754764eec7d6bb772fe3b0bf391771jorton# when encountering a 1.1 signed JAR file. If the identity is found
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluem# and is trusted, we grant it AllPermission.
49dacedb6c387b786b7911082ff35121a45f414bcovener# Default keystore type.
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe# List of comma-separated packages that start with or equal this string
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe# will cause a security exception to be thrown when
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe# passed to checkPackageAccess unless the
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe# corresponding RuntimePermission ("accessClassInPackage."+package) has
8491e0600f69b0405e156ea8a419653c065c645bcovener# been granted.
49dacedb6c387b786b7911082ff35121a45f414bcovener# List of comma-separated packages that start with or equal this string
49dacedb6c387b786b7911082ff35121a45f414bcovener# will cause a security exception to be thrown when
49dacedb6c387b786b7911082ff35121a45f414bcovener# passed to checkPackageDefinition unless the
49dacedb6c387b786b7911082ff35121a45f414bcovener# corresponding RuntimePermission ("defineClassInPackage."+package) has
3c990331fc6702119e4f5b8ba9eae3021aea5265jim# been granted.
3c990331fc6702119e4f5b8ba9eae3021aea5265jim# by default, no packages are restricted for definition, and none of
3c990331fc6702119e4f5b8ba9eae3021aea5265jim# the class loaders supplied with the JDK call checkPackageDefinition.
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq# Determines whether this properties file can be appended to
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq# or overridden on the command line via -Djava.security.properties
06b8f183140c8e02e0974e938a05078b511d1603covener# Determines the default key and trust manager factory algorithms for
06b8f183140c8e02e0974e938a05078b511d1603covener# the javax.net.ssl package.
259878293a997ff49f5ddfc53d3739cbdc25444ecovener# The Java-level namelookup cache policy for successful lookups:
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin# any negative value: caching forever
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin# any positive value: the number of seconds to cache an address for
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin# zero: do not cache
65967d05f839dbf27cf91d91fa79585eeae19660minfrin# default value is forever (FOREVER). For security reasons, this
65967d05f839dbf27cf91d91fa79585eeae19660minfrin# caching is made forever when a security manager is set. When a security
65967d05f839dbf27cf91d91fa79585eeae19660minfrin# manager is not set, the default behavior in this implementation
8152945ae46857b170cb227e79bb799f4fc7710dminfrin# is to cache for 30 seconds.
8152945ae46857b170cb227e79bb799f4fc7710dminfrin# NOTE: setting this to anything other than the default value can have
8152945ae46857b170cb227e79bb799f4fc7710dminfrin# serious security implications. Do not set it unless
75f5c2db254c0167a0e396254460de09b775d203trawick# you are sure you are not exposed to DNS spoofing attack.
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph# The Java-level namelookup cache policy for failed lookups:
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick# any negative value: cache forever
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick# any positive value: the number of seconds to cache negative lookup results
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick# zero: do not cache
54d750a84a175d8e338880514d440773eb986b50covener# In some Microsoft Windows networking environments that employ
54d750a84a175d8e338880514d440773eb986b50covener# the WINS name service in addition to DNS, name service lookups
54d750a84a175d8e338880514d440773eb986b50covener# that fail may take a noticeably long time to return (approx. 5 seconds).
54d750a84a175d8e338880514d440773eb986b50covener# For this reason the default caching policy is to maintain these
54d750a84a175d8e338880514d440773eb986b50covener# results for 10 seconds.
54d750a84a175d8e338880514d440773eb986b50covener# Properties to configure OCSP for certificate revocation checking
83b50288fa7d306324bba68832011ea08f5c7832covener# Enable OCSP
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick# By default, OCSP is not used for certificate revocation checking.
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick# This property enables the use of OCSP when set to the value "true".
2e15620d724fb8e3a5be183b917359a2fd6e9468covener# NOTE: SocketPermission is required to connect to an OCSP responder.
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener# Location of the OCSP responder
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener# By default, the location of the OCSP responder is determined implicitly
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener# from the certificate being validated. This property explicitly specifies
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd# the location of the OCSP responder. The property is used when the
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd# Authority Information Access extension (defined in RFC 3280) is absent
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd# from the certificate or when it requires overriding.
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener# Subject name of the OCSP responder's certificate
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener# By default, the certificate of the OCSP responder is that of the issuer
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick# of the certificate being validated. This property identifies the certificate
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick# of the OCSP responder when the default does not apply. Its value is a string
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick# distinguished name (defined in RFC 2253) which identifies a certificate in
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz# the set of certificates supplied during cert path validation. In cases where
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz# the subject name alone is not sufficient to uniquely identify the certificate
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz# then both the "ocsp.responderCertIssuerName" and
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza# "ocsp.responderCertSerialNumber" properties must be used instead. When this
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza# property is set then those two properties are ignored.
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza# Issuer name of the OCSP responder's certificate
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza# By default, the certificate of the OCSP responder is that of the issuer
ba050a6f942b9fa0e81ed73437588005c569655ccovener# of the certificate being validated. This property identifies the certificate
ba050a6f942b9fa0e81ed73437588005c569655ccovener# of the OCSP responder when the default does not apply. Its value is a string
ba050a6f942b9fa0e81ed73437588005c569655ccovener# distinguished name (defined in RFC 2253) which identifies a certificate in
ba050a6f942b9fa0e81ed73437588005c569655ccovener# the set of certificates supplied during cert path validation. When this
135ddda3a989215d2bedbcf1529bfb269c3eda23niq# property is set then the "ocsp.responderCertSerialNumber" property must also
135ddda3a989215d2bedbcf1529bfb269c3eda23niq# be set. When the "ocsp.responderCertSubjectName" property is set then this
135ddda3a989215d2bedbcf1529bfb269c3eda23niq# property is ignored.
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
cc5a4a08dc9783fcbc52ce86f11e01c281a43810minfrin# Serial number of the OCSP responder's certificate
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener# By default, the certificate of the OCSP responder is that of the issuer
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener# of the certificate being validated. This property identifies the certificate
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza# of the OCSP responder when the default does not apply. Its value is a string
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza# of hexadecimal digits (colon or space separators may be present) which
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza# identifies a certificate in the set of certificates supplied during cert path
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza# validation. When this property is set then the "ocsp.responderCertIssuerName"
56589be3d7a3e9343370df240010c6928cc78b39jkaluza# property must also be set. When the "ocsp.responderCertSubjectName" property
56589be3d7a3e9343370df240010c6928cc78b39jkaluza# is set then this property is ignored.
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick# Policy for failed Kerberos KDC lookups:
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick# When a KDC is unavailable (network error, service failure, etc), it is
4d12805e6c18253040223ea637acd6b3b3c18f60jorton# put inside a blacklist and accessed less often for future requests. The
4d12805e6c18253040223ea637acd6b3b3c18f60jorton# value (case-insensitive) for this policy can be:
85eacfc96a04547ef25aabbc06440039715084c2jorton# KDCs in the blacklist are always tried after those not on the list.
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener# tryLess[:max_retries,timeout]
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener# KDCs in the blacklist are still tried by their order in the configuration,
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener# but with smaller max_retries and timeout values. max_retries and timeout
cb666b29f81df1d11d65002250153353568021fccovener# are optional numerical parameters (default 1 and 5000, which means once
cb666b29f81df1d11d65002250153353568021fccovener# and 5 seconds). Please notes that if any of the values defined here is
cb666b29f81df1d11d65002250153353568021fccovener# more than what is defined in krb5.conf, it will be ignored.
1c2cab00d988fc48cbe59032cf76cc0bab20d6f7covener# Whenever a KDC is detected as available, it is removed from the blacklist.
6a80c3c6f4b8ea7ba5e89402b8b779b09ce020e0covener# The blacklist is reset when krb5.conf is reloaded. You can add
75a230a728338d84dcfe81edd375352f34de22d0covener# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
75a230a728338d84dcfe81edd375352f34de22d0covener# reloaded whenever a JAAS authentication is attempted.
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener# krb5.kdc.bad.policy = tryLess:2,2000
63a5ea80bddcc84a462e40f402b4f330e0e05411covener# Algorithm restrictions for certification path (CertPath) processing
65a4e663b82f8bce28ac22ab2edfd7502de36998sf# In some environments, certain algorithms or key lengths may be undesirable
65a4e663b82f8bce28ac22ab2edfd7502de36998sf# for certification path building and validation. For example, "MD2" is
65a4e663b82f8bce28ac22ab2edfd7502de36998sf# generally no longer considered to be a secure hash algorithm. This section
65a4e663b82f8bce28ac22ab2edfd7502de36998sf# describes the mechanism for disabling algorithms based on algorithm name
c7de1955eb0eaeabf7042902476397692672d549sf# and/or key length. This includes algorithms used in certificates, as well
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin# as revocation information such as CRLs and signed OCSP Responses.
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin# The syntax of the disabled algorithm string is described as this Java
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin# BNF-style:
a511a29faf2ff7ead3b67680154a624effb31aafminfrin# DisabledAlgorithms:
a511a29faf2ff7ead3b67680154a624effb31aafminfrin# " DisabledAlgorithm { , DisabledAlgorithm } "
a511a29faf2ff7ead3b67680154a624effb31aafminfrin# DisabledAlgorithm:
a511a29faf2ff7ead3b67680154a624effb31aafminfrin# AlgorithmName [Constraint]
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin# AlgorithmName:
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin# (see below)
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin# Constraint:
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin# KeySizeConstraint
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin# KeySizeConstraint:
684e0cfc200f66287a93bbd1708d1dd8a92a7eefcovener# keySize Operator DecimalInteger
5c43d2fb853f84497b5ece2d414ef9484aa87e5fsf# Operator:
05a5a9c3e16f21566e1b61f4bd68025ce1b741ccjoes# <= | < | == | != | >= | >
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq# DecimalInteger:
26c5829347f6a355c00f1ba0301d575056b69536niq# DecimalDigits
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq# DecimalDigits:
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq# DecimalDigit {DecimalDigit}
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq# DecimalDigit: one of
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq# 1 2 3 4 5 6 7 8 9 0
c12917da693bae4028a1d5a5e8224bceed8c739dsf# The "AlgorithmName" is the standard algorithm name of the disabled
c12917da693bae4028a1d5a5e8224bceed8c739dsf# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf# Documentation" for information about Standard Algorithm Names. Matching
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf# is performed using a case-insensitive sub-element matching rule. (For
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf# sub-element of the certificate algorithm name, the algorithm will be
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf# rejected during certification path building and validation. For example,
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf# the assertion algorithm name "DSA" will disable all certificate algorithms
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf# will not disable algorithms related to "ECDSA".
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf# A "Constraint" provides further guidance for the algorithm being specified.
9811aed12bbc71783d2e544ccb5fecd193843eadsf# The "KeySizeConstraint" requires a key of a valid size range if the
9811aed12bbc71783d2e544ccb5fecd193843eadsf# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
9811aed12bbc71783d2e544ccb5fecd193843eadsf# key size specified in number of bits. For example, "RSA keySize <= 1024"
88fac54d9d64f85bbdab5d7010816f4377f95bd7rjung# indicates that any RSA key with key size less than or equal to 1024 bits
88fac54d9d64f85bbdab5d7010816f4377f95bd7rjung# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
bd3f5647b96d378d9c75c954e3f13582af32c643sf# that any RSA key with key size less than 1024 or greater than 2048 should
bd3f5647b96d378d9c75c954e3f13582af32c643sf# be disabled. Note that the "KeySizeConstraint" only makes sense to key
bd3f5647b96d378d9c75c954e3f13582af32c643sf# algorithms.
bd3f5647b96d378d9c75c954e3f13582af32c643sf# Note: This property is currently used by Oracle's PKIX implementation. It
2a7beea91d46beb41f043a84eaad060047ee04aafabien# is not guaranteed to be examined and used by other implementations.
2a7beea91d46beb41f043a84eaad060047ee04aafabien# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf# (SSL/TLS) processing
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf# In some environments, certain algorithms or key lengths may be undesirable
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf# when using SSL/TLS. This section describes the mechanism for disabling
132ee6ac1c26d6e8953836316ba50734eefab47bsf# algorithms during SSL/TLS security parameters negotiation, including cipher
132ee6ac1c26d6e8953836316ba50734eefab47bsf# suites selection, peer authentication and key exchange mechanisms.
85eacfc96a04547ef25aabbc06440039715084c2jorton# For PKI-based peer authentication and key exchange mechanisms, this list
85eacfc96a04547ef25aabbc06440039715084c2jorton# of disabled algorithms will also be checked during certification path
85eacfc96a04547ef25aabbc06440039715084c2jorton# building and validation, including algorithms used in certificates, as
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick# well as revocation information such as CRLs and signed OCSP Responses.
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick# This is in addition to the jdk.certpath.disabledAlgorithms property above.
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick# See the specification of "jdk.certpath.disabledAlgorithms" for the
79c5787b92ac5f0e1cc82393816c77a006399316trawick# syntax of the disabled algorithm string.
79c5787b92ac5f0e1cc82393816c77a006399316trawick# Note: This property is currently used by Oracle's JSSE implementation.
79c5787b92ac5f0e1cc82393816c77a006399316trawick# It is not guaranteed to be examined and used by other implementations.
79c5787b92ac5f0e1cc82393816c77a006399316trawick# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048