java.security-solaris revision 5873
ca41b452ede6feaa9d8739ec3cae19389a7b0d03Bob Halley# This is the "master security properties file".
58042eafd071de078c4f2d8fa69791a86eb58667William King# In this file, various security properties are set for use by
58042eafd071de078c4f2d8fa69791a86eb58667William King# java.security classes. This is where users can statically register
58042eafd071de078c4f2d8fa69791a86eb58667William King# Cryptography Package Providers ("providers" for short). The term
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence# "provider" refers to a package or set of packages that supply a
15a44745412679c30a6d022733925af70a38b715David Lawrence# concrete implementation of a subset of the cryptography aspects of
15a44745412679c30a6d022733925af70a38b715David Lawrence# the Java Security API. A provider may, for example, implement one or
15a44745412679c30a6d022733925af70a38b715David Lawrence# more digital signature algorithms or message digest algorithms.
15a44745412679c30a6d022733925af70a38b715David Lawrence# Each provider must implement a subclass of the Provider class.
15a44745412679c30a6d022733925af70a38b715David Lawrence# To register a provider in this master security properties file,
15a44745412679c30a6d022733925af70a38b715David Lawrence# specify the Provider subclass name and priority in the format
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence# This declares a provider, and specifies its preference
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence# order n. The preference order is the order in which providers are
58042eafd071de078c4f2d8fa69791a86eb58667William King# searched for requested algorithms (when no specific provider is
58042eafd071de078c4f2d8fa69791a86eb58667William King# requested). The order is 1-based; 1 is the most preferred, followed
58042eafd071de078c4f2d8fa69791a86eb58667William King# by 2, and so on.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence# <className> must specify the subclass of the Provider class whose
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence# constructor sets the values of various properties that are required
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence# for the Java Security API to look up the algorithms or other
1b6d529cb5ee0ad44f8518e1b8c2cbca54bbdf18David Lawrence# facilities implemented by the provider.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence# There must be at least one provider specification in java.security.
58042eafd071de078c4f2d8fa69791a86eb58667William King# There is a default provider that comes standard with the JDK. It
58042eafd071de078c4f2d8fa69791a86eb58667William King# is called the "SUN" provider, and its Provider subclass
58042eafd071de078c4f2d8fa69791a86eb58667William King# named Sun appears in the sun.security.provider package. Thus, the
58042eafd071de078c4f2d8fa69791a86eb58667William King# "SUN" provider is registered via the following:
58042eafd071de078c4f2d8fa69791a86eb58667William King# (The number 1 is used for the default provider.)
58042eafd071de078c4f2d8fa69791a86eb58667William King# Note: Providers can be dynamically registered instead by calls to
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff# either the addProvider or insertProviderAt method in the Security
58042eafd071de078c4f2d8fa69791a86eb58667William King# List of providers and their preference orders (see above):
f357e4e87dfd68bd922d2b6b4dd555c1bba8df0dMark Andrewssecurity.provider.1=com.oracle.security.ucrypto.UcryptoProvider ${java.home}/lib/security/ucrypto-solaris.cfg
1b6d529cb5ee0ad44f8518e1b8c2cbca54bbdf18David Lawrencesecurity.provider.2=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/sunpkcs11-solaris.cfg
58042eafd071de078c4f2d8fa69791a86eb58667William Kingsecurity.provider.6=com.sun.net.ssl.internal.ssl.Provider
58042eafd071de078c4f2d8fa69791a86eb58667William Kingsecurity.provider.7=com.sun.crypto.provider.SunJCE
f6751e3b0e988f21a41f276ffe683dc114afb57fDavid Lawrencesecurity.provider.8=sun.security.jgss.SunProvider
f357e4e87dfd68bd922d2b6b4dd555c1bba8df0dMark Andrewssecurity.provider.9=com.sun.security.sasl.Provider
f6751e3b0e988f21a41f276ffe683dc114afb57fDavid Lawrencesecurity.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
58042eafd071de078c4f2d8fa69791a86eb58667William Kingsecurity.provider.11=sun.security.smartcardio.SunPCSC
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence# Select the source of seed data for SecureRandom. By default an
58042eafd071de078c4f2d8fa69791a86eb58667William King# attempt is made to use the entropy gathering device specified by
58042eafd071de078c4f2d8fa69791a86eb58667William King# the securerandom.source property. If an exception occurs when
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# accessing the URL then the traditional system/thread activity
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff# algorithm is used.
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# On Solaris and Linux systems, if file:/dev/urandom is specified and it
58042eafd071de078c4f2d8fa69791a86eb58667William King# exists, a special SecureRandom implementation is activated by default.
58042eafd071de078c4f2d8fa69791a86eb58667William King# This "NativePRNG" reads random bytes directly from /dev/urandom.
1b6d529cb5ee0ad44f8518e1b8c2cbca54bbdf18David Lawrence# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
1b6d529cb5ee0ad44f8518e1b8c2cbca54bbdf18David Lawrence# enables use of the Microsoft CryptoAPI seed functionality.
58042eafd071de078c4f2d8fa69791a86eb58667William King# The entropy gathering device is described as a URL and can also
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# be specified with the system property "java.security.egd". For example,
58042eafd071de078c4f2d8fa69791a86eb58667William King# Specifying this system property will override the securerandom.source
f357e4e87dfd68bd922d2b6b4dd555c1bba8df0dMark Andrews# Class to instantiate as the javax.security.auth.login.Configuration
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrencelogin.configuration.provider=com.sun.security.auth.login.ConfigFile
58042eafd071de078c4f2d8fa69791a86eb58667William King# Default login configuration file
58042eafd071de078c4f2d8fa69791a86eb58667William King#login.config.url.1=file:${user.home}/.java.login.config
58042eafd071de078c4f2d8fa69791a86eb58667William King# Class to instantiate as the system Policy. This is the name of the class
58042eafd071de078c4f2d8fa69791a86eb58667William King# that will be used as the Policy object.
f357e4e87dfd68bd922d2b6b4dd555c1bba8df0dMark Andrewspolicy.provider=sun.security.provider.PolicyFile
58042eafd071de078c4f2d8fa69791a86eb58667William King# The default is to have a single system-wide policy file,
58042eafd071de078c4f2d8fa69791a86eb58667William King# and a policy file in the user's home directory.
58042eafd071de078c4f2d8fa69791a86eb58667William Kingpolicy.url.1=file:${java.home}/lib/security/java.policy
58042eafd071de078c4f2d8fa69791a86eb58667William King# whether or not we expand properties in the policy file
58042eafd071de078c4f2d8fa69791a86eb58667William King# if this is set to false, properties (${...}) will not be expanded in policy
58042eafd071de078c4f2d8fa69791a86eb58667William King# whether or not we allow an extra policy to be passed on the command line
58042eafd071de078c4f2d8fa69791a86eb58667William King# with -Djava.security.policy=somefile. Comment out this line to disable
58042eafd071de078c4f2d8fa69791a86eb58667William King# this feature.
58042eafd071de078c4f2d8fa69791a86eb58667William King# whether or not we look into the IdentityScope for trusted Identities
58042eafd071de078c4f2d8fa69791a86eb58667William King# when encountering a 1.1 signed JAR file. If the identity is found
58042eafd071de078c4f2d8fa69791a86eb58667William King# and is trusted, we grant it AllPermission.
58042eafd071de078c4f2d8fa69791a86eb58667William King# Default keystore type.
58042eafd071de078c4f2d8fa69791a86eb58667William King# List of comma-separated packages that start with or equal this string
58042eafd071de078c4f2d8fa69791a86eb58667William King# will cause a security exception to be thrown when
f357e4e87dfd68bd922d2b6b4dd555c1bba8df0dMark Andrews# passed to checkPackageAccess unless the
58042eafd071de078c4f2d8fa69791a86eb58667William King# corresponding RuntimePermission ("accessClassInPackage."+package) has
58042eafd071de078c4f2d8fa69791a86eb58667William King# been granted.
58042eafd071de078c4f2d8fa69791a86eb58667William King# List of comma-separated packages that start with or equal this string
58042eafd071de078c4f2d8fa69791a86eb58667William King# will cause a security exception to be thrown when
58042eafd071de078c4f2d8fa69791a86eb58667William King# passed to checkPackageDefinition unless the
58042eafd071de078c4f2d8fa69791a86eb58667William King# corresponding RuntimePermission ("defineClassInPackage."+package) has
58042eafd071de078c4f2d8fa69791a86eb58667William King# been granted.
58042eafd071de078c4f2d8fa69791a86eb58667William King# by default, none of the class loaders supplied with the JDK call
58042eafd071de078c4f2d8fa69791a86eb58667William King# checkPackageDefinition.
58042eafd071de078c4f2d8fa69791a86eb58667William King# Determines whether this properties file can be appended to
58042eafd071de078c4f2d8fa69791a86eb58667William King# or overridden on the command line via -Djava.security.properties
29e59609b91f880d75d95bde90afa8163f256182Mark Andrews# Determines the default key and trust manager factory algorithms for
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence# The Java-level namelookup cache policy for successful lookups:
58042eafd071de078c4f2d8fa69791a86eb58667William King# any negative value: caching forever
58042eafd071de078c4f2d8fa69791a86eb58667William King# any positive value: the number of seconds to cache an address for
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff# zero: do not cache
58042eafd071de078c4f2d8fa69791a86eb58667William King# default value is forever (FOREVER). For security reasons, this
58042eafd071de078c4f2d8fa69791a86eb58667William King# caching is made forever when a security manager is set. When a security
58042eafd071de078c4f2d8fa69791a86eb58667William King# manager is not set, the default behavior in this implementation
58042eafd071de078c4f2d8fa69791a86eb58667William King# is to cache for 30 seconds.
58042eafd071de078c4f2d8fa69791a86eb58667William King# NOTE: setting this to anything other than the default value can have
58042eafd071de078c4f2d8fa69791a86eb58667William King# serious security implications. Do not set it unless
58042eafd071de078c4f2d8fa69791a86eb58667William King# you are sure you are not exposed to DNS spoofing attack.
58042eafd071de078c4f2d8fa69791a86eb58667William King# The Java-level namelookup cache policy for failed lookups:
58042eafd071de078c4f2d8fa69791a86eb58667William King# any negative value: cache forever
58042eafd071de078c4f2d8fa69791a86eb58667William King# any positive value: the number of seconds to cache negative lookup results
58042eafd071de078c4f2d8fa69791a86eb58667William King# zero: do not cache
58042eafd071de078c4f2d8fa69791a86eb58667William King# In some Microsoft Windows networking environments that employ
58042eafd071de078c4f2d8fa69791a86eb58667William King# the WINS name service in addition to DNS, name service lookups
58042eafd071de078c4f2d8fa69791a86eb58667William King# that fail may take a noticeably long time to return (approx. 5 seconds).
58042eafd071de078c4f2d8fa69791a86eb58667William King# For this reason the default caching policy is to maintain these
58042eafd071de078c4f2d8fa69791a86eb58667William King# results for 10 seconds.
58042eafd071de078c4f2d8fa69791a86eb58667William King# Properties to configure OCSP for certificate revocation checking
58042eafd071de078c4f2d8fa69791a86eb58667William King# Enable OCSP
58042eafd071de078c4f2d8fa69791a86eb58667William King# By default, OCSP is not used for certificate revocation checking.
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley# This property enables the use of OCSP when set to the value "true".
58042eafd071de078c4f2d8fa69791a86eb58667William King# NOTE: SocketPermission is required to connect to an OCSP responder.
58042eafd071de078c4f2d8fa69791a86eb58667William King# Location of the OCSP responder
58042eafd071de078c4f2d8fa69791a86eb58667William King# By default, the location of the OCSP responder is determined implicitly
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff# from the certificate being validated. This property explicitly specifies
58042eafd071de078c4f2d8fa69791a86eb58667William King# the location of the OCSP responder. The property is used when the
be9258d15b8e25b4855e91770ae90fa66f71b3dcWilliam King# Authority Information Access extension (defined in RFC 3280) is absent
be9258d15b8e25b4855e91770ae90fa66f71b3dcWilliam King# from the certificate or when it requires overriding.
58042eafd071de078c4f2d8fa69791a86eb58667William King# Subject name of the OCSP responder's certificate
58042eafd071de078c4f2d8fa69791a86eb58667William King# By default, the certificate of the OCSP responder is that of the issuer
58042eafd071de078c4f2d8fa69791a86eb58667William King# of the certificate being validated. This property identifies the certificate
58042eafd071de078c4f2d8fa69791a86eb58667William King# of the OCSP responder when the default does not apply. Its value is a string
1b6d529cb5ee0ad44f8518e1b8c2cbca54bbdf18David Lawrence# distinguished name (defined in RFC 2253) which identifies a certificate in
58042eafd071de078c4f2d8fa69791a86eb58667William King# the set of certificates supplied during cert path validation. In cases where
58042eafd071de078c4f2d8fa69791a86eb58667William King# the subject name alone is not sufficient to uniquely identify the certificate
58042eafd071de078c4f2d8fa69791a86eb58667William King# then both the "ocsp.responderCertIssuerName" and
58042eafd071de078c4f2d8fa69791a86eb58667William King# "ocsp.responderCertSerialNumber" properties must be used instead. When this
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# property is set then those two properties are ignored.
58042eafd071de078c4f2d8fa69791a86eb58667William King# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
58042eafd071de078c4f2d8fa69791a86eb58667William King# Issuer name of the OCSP responder's certificate
58042eafd071de078c4f2d8fa69791a86eb58667William King# By default, the certificate of the OCSP responder is that of the issuer
1b6d529cb5ee0ad44f8518e1b8c2cbca54bbdf18David Lawrence# of the certificate being validated. This property identifies the certificate
58042eafd071de078c4f2d8fa69791a86eb58667William King# of the OCSP responder when the default does not apply. Its value is a string
58042eafd071de078c4f2d8fa69791a86eb58667William King# distinguished name (defined in RFC 2253) which identifies a certificate in
58042eafd071de078c4f2d8fa69791a86eb58667William King# the set of certificates supplied during cert path validation. When this
58042eafd071de078c4f2d8fa69791a86eb58667William King# property is set then the "ocsp.responderCertSerialNumber" property must also
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence# be set. When the "ocsp.responderCertSubjectName" property is set then this
f357e4e87dfd68bd922d2b6b4dd555c1bba8df0dMark Andrews# property is ignored.
58042eafd071de078c4f2d8fa69791a86eb58667William King# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff# Serial number of the OCSP responder's certificate
58042eafd071de078c4f2d8fa69791a86eb58667William King# By default, the certificate of the OCSP responder is that of the issuer
58042eafd071de078c4f2d8fa69791a86eb58667William King# of the certificate being validated. This property identifies the certificate
58042eafd071de078c4f2d8fa69791a86eb58667William King# of the OCSP responder when the default does not apply. Its value is a string
58042eafd071de078c4f2d8fa69791a86eb58667William King# of hexadecimal digits (colon or space separators may be present) which
58042eafd071de078c4f2d8fa69791a86eb58667William King# identifies a certificate in the set of certificates supplied during cert path
58042eafd071de078c4f2d8fa69791a86eb58667William King# validation. When this property is set then the "ocsp.responderCertIssuerName"
58042eafd071de078c4f2d8fa69791a86eb58667William King# property must also be set. When the "ocsp.responderCertSubjectName" property
58042eafd071de078c4f2d8fa69791a86eb58667William King# is set then this property is ignored.
58042eafd071de078c4f2d8fa69791a86eb58667William King# Policy for failed Kerberos KDC lookups:
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence# When a KDC is unavailable (network error, service failure, etc), it is
58042eafd071de078c4f2d8fa69791a86eb58667William King# put inside a blacklist and accessed less often for future requests. The
58042eafd071de078c4f2d8fa69791a86eb58667William King# value (case-insensitive) for this policy can be:
58042eafd071de078c4f2d8fa69791a86eb58667William King# KDCs in the blacklist are always tried after those not on the list.
58042eafd071de078c4f2d8fa69791a86eb58667William King# tryLess[:max_retries,timeout]
58042eafd071de078c4f2d8fa69791a86eb58667William King# KDCs in the blacklist are still tried by their order in the configuration,
58042eafd071de078c4f2d8fa69791a86eb58667William King# but with smaller max_retries and timeout values. max_retries and timeout
58042eafd071de078c4f2d8fa69791a86eb58667William King# are optional numerical parameters (default 1 and 5000, which means once
58042eafd071de078c4f2d8fa69791a86eb58667William King# and 5 seconds). Please notes that if any of the values defined here is
58042eafd071de078c4f2d8fa69791a86eb58667William King# more than what is defined in krb5.conf, it will be ignored.
58042eafd071de078c4f2d8fa69791a86eb58667William King# Whenever a KDC is detected as available, it is removed from the blacklist.
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# The blacklist is reset when krb5.conf is reloaded. You can add
58042eafd071de078c4f2d8fa69791a86eb58667William King# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
58042eafd071de078c4f2d8fa69791a86eb58667William King# reloaded whenever a JAAS authentication is attempted.
58042eafd071de078c4f2d8fa69791a86eb58667William King# krb5.kdc.bad.policy = tryLess:2,2000
58042eafd071de078c4f2d8fa69791a86eb58667William King# Algorithm restrictions for certification path (CertPath) processing
58042eafd071de078c4f2d8fa69791a86eb58667William King# In some environments, certain algorithms or key lengths may be undesirable
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# for certification path building and validation. For example, "MD2" is
f357e4e87dfd68bd922d2b6b4dd555c1bba8df0dMark Andrews# generally no longer considered to be a secure hash algorithm. This section
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff# describes the mechanism for disabling algorithms based on algorithm name
58042eafd071de078c4f2d8fa69791a86eb58667William King# and/or key length. This includes algorithms used in certificates, as well
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# as revocation information such as CRLs and signed OCSP Responses.
58042eafd071de078c4f2d8fa69791a86eb58667William King# The syntax of the disabled algorithm string is described as this Java
58042eafd071de078c4f2d8fa69791a86eb58667William King# DisabledAlgorithms:
58042eafd071de078c4f2d8fa69791a86eb58667William King# " DisabledAlgorithm { , DisabledAlgorithm } "
58042eafd071de078c4f2d8fa69791a86eb58667William King# DisabledAlgorithm:
58042eafd071de078c4f2d8fa69791a86eb58667William King# AlgorithmName [Constraint]
58042eafd071de078c4f2d8fa69791a86eb58667William King# AlgorithmName:
58042eafd071de078c4f2d8fa69791a86eb58667William King# KeySizeConstraint
58042eafd071de078c4f2d8fa69791a86eb58667William King# KeySizeConstraint:
58042eafd071de078c4f2d8fa69791a86eb58667William King# keySize Operator DecimalInteger
58042eafd071de078c4f2d8fa69791a86eb58667William King# <= | < | == | != | >= | >
58042eafd071de078c4f2d8fa69791a86eb58667William King# DecimalInteger:
f357e4e87dfd68bd922d2b6b4dd555c1bba8df0dMark Andrews# DecimalDigits
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# DecimalDigits:
58042eafd071de078c4f2d8fa69791a86eb58667William King# DecimalDigit {DecimalDigit}
58042eafd071de078c4f2d8fa69791a86eb58667William King# DecimalDigit: one of
58042eafd071de078c4f2d8fa69791a86eb58667William King# 1 2 3 4 5 6 7 8 9 0
58042eafd071de078c4f2d8fa69791a86eb58667William King# The "AlgorithmName" is the standard algorithm name of the disabled
58042eafd071de078c4f2d8fa69791a86eb58667William King# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
58042eafd071de078c4f2d8fa69791a86eb58667William King# Documentation" for information about Standard Algorithm Names. Matching
58042eafd071de078c4f2d8fa69791a86eb58667William King# is performed using a case-insensitive sub-element matching rule. (For
58042eafd071de078c4f2d8fa69791a86eb58667William King# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
58042eafd071de078c4f2d8fa69791a86eb58667William King# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
58042eafd071de078c4f2d8fa69791a86eb58667William King# sub-element of the certificate algorithm name, the algorithm will be
58042eafd071de078c4f2d8fa69791a86eb58667William King# rejected during certification path building and validation. For example,
58042eafd071de078c4f2d8fa69791a86eb58667William King# the assertion algorithm name "DSA" will disable all certificate algorithms
58042eafd071de078c4f2d8fa69791a86eb58667William King# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
58042eafd071de078c4f2d8fa69791a86eb58667William King# will not disable algorithms related to "ECDSA".
58042eafd071de078c4f2d8fa69791a86eb58667William King# A "Constraint" provides further guidance for the algorithm being specified.
58042eafd071de078c4f2d8fa69791a86eb58667William King# The "KeySizeConstraint" requires a key of a valid size range if the
58042eafd071de078c4f2d8fa69791a86eb58667William King# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
47b26abe77184f9bedc68e36bdad03332cf67570David Lawrence# key size specified in number of bits. For example, "RSA keySize <= 1024"
47b26abe77184f9bedc68e36bdad03332cf67570David Lawrence# indicates that any RSA key with key size less than or equal to 1024 bits
47b26abe77184f9bedc68e36bdad03332cf67570David Lawrence# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
47b26abe77184f9bedc68e36bdad03332cf67570David Lawrence# that any RSA key with key size less than 1024 or greater than 2048 should
58042eafd071de078c4f2d8fa69791a86eb58667William King# be disabled. Note that the "KeySizeConstraint" only makes sense to key
58042eafd071de078c4f2d8fa69791a86eb58667William King# algorithms.
58042eafd071de078c4f2d8fa69791a86eb58667William King# Note: This property is currently used by Oracle's PKIX implementation. It
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# is not guaranteed to be examined and used by other implementations.
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
58042eafd071de078c4f2d8fa69791a86eb58667William King# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
58042eafd071de078c4f2d8fa69791a86eb58667William King# (SSL/TLS) processing
58042eafd071de078c4f2d8fa69791a86eb58667William King# In some environments, certain algorithms or key lengths may be undesirable
58042eafd071de078c4f2d8fa69791a86eb58667William King# when using SSL/TLS. This section describes the mechanism for disabling
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# algorithms during SSL/TLS security parameters negotiation, including cipher
58042eafd071de078c4f2d8fa69791a86eb58667William King# suites selection, peer authentication and key exchange mechanisms.
58042eafd071de078c4f2d8fa69791a86eb58667William King# For PKI-based peer authentication and key exchange mechanisms, this list
58042eafd071de078c4f2d8fa69791a86eb58667William King# of disabled algorithms will also be checked during certification path
58042eafd071de078c4f2d8fa69791a86eb58667William King# building and validation, including algorithms used in certificates, as
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# well as revocation information such as CRLs and signed OCSP Responses.
58042eafd071de078c4f2d8fa69791a86eb58667William King# This is in addition to the jdk.certpath.disabledAlgorithms property above.
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# See the specification of "jdk.certpath.disabledAlgorithms" for the
58042eafd071de078c4f2d8fa69791a86eb58667William King# syntax of the disabled algorithm string.
58042eafd071de078c4f2d8fa69791a86eb58667William King# Note: This property is currently used by Oracle's JSSE implementation.
58042eafd071de078c4f2d8fa69791a86eb58667William King# It is not guaranteed to be examined and used by other implementations.
e38d22f5664cbca0315c8ba1f6ff21067723dbdbDavid Lawrence# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048