java.security-windows revision 5870
1f48f8236de7de97be1c6b9d06bef50b379c8801jenkins# This is the "master security properties file".
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# In this file, various security properties are set for use by
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# java.security classes. This is where users can statically register
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# Cryptography Package Providers ("providers" for short). The term
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# "provider" refers to a package or set of packages that supply a
54df19ee6525730717441d625c476fbe32448945Peter Major# concrete implementation of a subset of the cryptography aspects of
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# the Java Security API. A provider may, for example, implement one or
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# more digital signature algorithms or message digest algorithms.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# Each provider must implement a subclass of the Provider class.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# To register a provider in this master security properties file,
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# specify the Provider subclass name and priority in the format
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# This declares a provider, and specifies its preference
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# order n. The preference order is the order in which providers are
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# searched for requested algorithms (when no specific provider is
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# requested). The order is 1-based; 1 is the most preferred, followed
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# by 2, and so on.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# <className> must specify the subclass of the Provider class whose
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# constructor sets the values of various properties that are required
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# for the Java Security API to look up the algorithms or other
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# facilities implemented by the provider.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# There must be at least one provider specification in java.security.
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# There is a default provider that comes standard with the JDK. It
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# is called the "SUN" provider, and its Provider subclass
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# named Sun appears in the sun.security.provider package. Thus, the
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# "SUN" provider is registered via the following:
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# (The number 1 is used for the default provider.)
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# Note: Providers can be dynamically registered instead by calls to
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# either the addProvider or insertProviderAt method in the Security
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# List of providers and their preference orders (see above):
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenksecurity.provider.4=com.sun.net.ssl.internal.ssl.Provider
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenksecurity.provider.5=com.sun.crypto.provider.SunJCE
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenksecurity.provider.6=sun.security.jgss.SunProvider
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenksecurity.provider.7=com.sun.security.sasl.Provider
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenksecurity.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
a277eacba0534b81b8bd19173f7060a3971d03dajeff.schenksecurity.provider.9=sun.security.smartcardio.SunPCSC
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenksecurity.provider.10=sun.security.mscapi.SunMSCAPI
247203cf5bb5bc7e81871318633899d2c44416b0Mark Craig# Select the source of seed data for SecureRandom. By default an
a622f6b14edb724c3cdbc8b5836a109d4ac80086Peter Major# attempt is made to use the entropy gathering device specified by
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# the securerandom.source property. If an exception occurs when
a149d11dfee7bcc667e71ec330b7566dd0437c1fjeff.schenk# accessing the URL then the traditional system/thread activity
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# algorithm is used.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# On Solaris and Linux systems, if file:/dev/urandom is specified and it
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# exists, a special SecureRandom implementation is activated by default.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# This "NativePRNG" reads random bytes directly from /dev/urandom.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# enables use of the Microsoft CryptoAPI seed functionality.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# The entropy gathering device is described as a URL and can also
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# be specified with the system property "java.security.egd". For example,
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# Specifying this system property will override the securerandom.source
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# Class to instantiate as the javax.security.auth.login.Configuration
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenklogin.configuration.provider=com.sun.security.auth.login.ConfigFile
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# Default login configuration file
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk#login.config.url.1=file:${user.home}/.java.login.config
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# Class to instantiate as the system Policy. This is the name of the class
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# that will be used as the Policy object.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# The default is to have a single system-wide policy file,
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# and a policy file in the user's home directory.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenkpolicy.url.1=file:${java.home}/lib/security/java.policy
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# whether or not we expand properties in the policy file
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# if this is set to false, properties (${...}) will not be expanded in policy
40b03a530836fb4b75141456a5ad991d7130d91djeff.schenk# whether or not we allow an extra policy to be passed on the command line
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# with -Djava.security.policy=somefile. Comment out this line to disable
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# this feature.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# whether or not we look into the IdentityScope for trusted Identities
40b03a530836fb4b75141456a5ad991d7130d91djeff.schenk# when encountering a 1.1 signed JAR file. If the identity is found
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# and is trusted, we grant it AllPermission.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# Default keystore type.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# List of comma-separated packages that start with or equal this string
40b03a530836fb4b75141456a5ad991d7130d91djeff.schenk# will cause a security exception to be thrown when
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# passed to checkPackageAccess unless the
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# corresponding RuntimePermission ("accessClassInPackage."+package) has
40b03a530836fb4b75141456a5ad991d7130d91djeff.schenk# been granted.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# List of comma-separated packages that start with or equal this string
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# will cause a security exception to be thrown when
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# passed to checkPackageDefinition unless the
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# corresponding RuntimePermission ("defineClassInPackage."+package) has
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# been granted.
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# by default, none of the class loaders supplied with the JDK call
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# checkPackageDefinition.
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# Determines whether this properties file can be appended to
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# or overridden on the command line via -Djava.security.properties
725ea03dc2bbc656d209dc7b143c795be153cd10Peter Major# Determines the default key and trust manager factory algorithms for
725ea03dc2bbc656d209dc7b143c795be153cd10Peter Major# The Java-level namelookup cache policy for successful lookups:
725ea03dc2bbc656d209dc7b143c795be153cd10Peter Major# any negative value: caching forever
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# any positive value: the number of seconds to cache an address for
2feee3bd4482cbe7e4a8cf1a228bf17723b13934jeff.schenk# zero: do not cache
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# default value is forever (FOREVER). For security reasons, this
d41212f2bd058e5d3d82771d9bbdb94481982f2bjeff.schenk# caching is made forever when a security manager is set. When a security
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# manager is not set, the default behavior in this implementation
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# is to cache for 30 seconds.
4a48635cccc646ac479830fd4df0ee8e10c5bd8djeff.schenk# NOTE: setting this to anything other than the default value can have
89503929c8983c48e2049c77284b52e79ad37c32jeff.schenk# serious security implications. Do not set it unless
89503929c8983c48e2049c77284b52e79ad37c32jeff.schenk# you are sure you are not exposed to DNS spoofing attack.
13cf991efe018d84db08f3aaecf99bc62d97ecbejeff.schenk# The Java-level namelookup cache policy for failed lookups:
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# any negative value: cache forever
d41212f2bd058e5d3d82771d9bbdb94481982f2bjeff.schenk# any positive value: the number of seconds to cache negative lookup results
d41212f2bd058e5d3d82771d9bbdb94481982f2bjeff.schenk# zero: do not cache
d41212f2bd058e5d3d82771d9bbdb94481982f2bjeff.schenk# In some Microsoft Windows networking environments that employ
d41212f2bd058e5d3d82771d9bbdb94481982f2bjeff.schenk# the WINS name service in addition to DNS, name service lookups
d41212f2bd058e5d3d82771d9bbdb94481982f2bjeff.schenk# that fail may take a noticeably long time to return (approx. 5 seconds).
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# For this reason the default caching policy is to maintain these
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# results for 10 seconds.
98c66589f6124f17c492667c095aefc61dd51eccAlin Brici# Properties to configure OCSP for certificate revocation checking
3a1076834ccd4b3ecf4fac754b7ba662d4251020Allan Foster# Enable OCSP
e8721886dbfd32e88cc7077cbee4b6bb1b44b443Peter Major# By default, OCSP is not used for certificate revocation checking.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# This property enables the use of OCSP when set to the value "true".
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# NOTE: SocketPermission is required to connect to an OCSP responder.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# Location of the OCSP responder
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# By default, the location of the OCSP responder is determined implicitly
84c335df5b56662ff61ec440ad718e29fca8460ajeff.schenk# from the certificate being validated. This property explicitly specifies
84c335df5b56662ff61ec440ad718e29fca8460ajeff.schenk# the location of the OCSP responder. The property is used when the
f58c87ece2202b8f85310d8885c7e39a7f435c09Jason Lemay# Authority Information Access extension (defined in RFC 3280) is absent
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# from the certificate or when it requires overriding.
25e37495f2591ee8f2c057f2644ed5570b4c078dPeter Major# Subject name of the OCSP responder's certificate
89503929c8983c48e2049c77284b52e79ad37c32jeff.schenk# By default, the certificate of the OCSP responder is that of the issuer
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# of the certificate being validated. This property identifies the certificate
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# of the OCSP responder when the default does not apply. Its value is a string
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# distinguished name (defined in RFC 2253) which identifies a certificate in
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# the set of certificates supplied during cert path validation. In cases where
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# the subject name alone is not sufficient to uniquely identify the certificate
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# then both the "ocsp.responderCertIssuerName" and
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# "ocsp.responderCertSerialNumber" properties must be used instead. When this
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# property is set then those two properties are ignored.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# Issuer name of the OCSP responder's certificate
bd563314e425c4bf7675643269f2b4633ad39f42Allan Foster# By default, the certificate of the OCSP responder is that of the issuer
bd563314e425c4bf7675643269f2b4633ad39f42Allan Foster# of the certificate being validated. This property identifies the certificate
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# of the OCSP responder when the default does not apply. Its value is a string
386650a8957e131311273ee84a4a4113ad5e3fe2Peter Major# distinguished name (defined in RFC 2253) which identifies a certificate in
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# the set of certificates supplied during cert path validation. When this
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# property is set then the "ocsp.responderCertSerialNumber" property must also
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# be set. When the "ocsp.responderCertSubjectName" property is set then this
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# property is ignored.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# Serial number of the OCSP responder's certificate
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# By default, the certificate of the OCSP responder is that of the issuer
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# of the certificate being validated. This property identifies the certificate
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# of the OCSP responder when the default does not apply. Its value is a string
a9dea14408d95f7c52d3ef9c1d2b86a36b5a0766jeff.schenk# of hexadecimal digits (colon or space separators may be present) which
863460956f3c5be928bd9bd5973933b7658c95a7jeff.schenk# identifies a certificate in the set of certificates supplied during cert path
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# validation. When this property is set then the "ocsp.responderCertIssuerName"
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# property must also be set. When the "ocsp.responderCertSubjectName" property
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# is set then this property is ignored.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# Policy for failed Kerberos KDC lookups:
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# When a KDC is unavailable (network error, service failure, etc), it is
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# put inside a blacklist and accessed less often for future requests. The
a9dea14408d95f7c52d3ef9c1d2b86a36b5a0766jeff.schenk# value (case-insensitive) for this policy can be:
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# KDCs in the blacklist are always tried after those not on the list.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# tryLess[:max_retries,timeout]
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# KDCs in the blacklist are still tried by their order in the configuration,
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# but with smaller max_retries and timeout values. max_retries and timeout
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# are optional numerical parameters (default 1 and 5000, which means once
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# and 5 seconds). Please notes that if any of the values defined here is
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# more than what is defined in krb5.conf, it will be ignored.
a9dea14408d95f7c52d3ef9c1d2b86a36b5a0766jeff.schenk# Whenever a KDC is detected as available, it is removed from the blacklist.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# The blacklist is reset when krb5.conf is reloaded. You can add
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# reloaded whenever a JAAS authentication is attempted.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# krb5.kdc.bad.policy = tryLess:2,2000
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# Algorithm restrictions for certification path (CertPath) processing
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# In some environments, certain algorithms or key lengths may be undesirable
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# for certification path building and validation. For example, "MD2" is
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# generally no longer considered to be a secure hash algorithm. This section
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# describes the mechanism for disabling algorithms based on algorithm name
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# and/or key length. This includes algorithms used in certificates, as well
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# as revocation information such as CRLs and signed OCSP Responses.
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# The syntax of the disabled algorithm string is described as this Java
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# DisabledAlgorithms:
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# " DisabledAlgorithm { , DisabledAlgorithm } "
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# DisabledAlgorithm:
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# AlgorithmName [Constraint]
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# AlgorithmName:
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# (see below)
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# Constraint:
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# KeySizeConstraint
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# KeySizeConstraint:
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# keySize Operator DecimalInteger
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# <= | < | == | != | >= | >
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# DecimalInteger:
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# DecimalDigits
a38150e4c84a0fb97d522595925684e82aeaebf7jeff.schenk# DecimalDigits:
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# DecimalDigit {DecimalDigit}
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# DecimalDigit: one of
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# 1 2 3 4 5 6 7 8 9 0
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# The "AlgorithmName" is the standard algorithm name of the disabled
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# Documentation" for information about Standard Algorithm Names. Matching
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# is performed using a case-insensitive sub-element matching rule. (For
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# sub-element of the certificate algorithm name, the algorithm will be
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# rejected during certification path building and validation. For example,
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# the assertion algorithm name "DSA" will disable all certificate algorithms
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# will not disable algorithms related to "ECDSA".
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# A "Constraint" provides further guidance for the algorithm being specified.
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# The "KeySizeConstraint" requires a key of a valid size range if the
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# key size specified in number of bits. For example, "RSA keySize <= 1024"
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# indicates that any RSA key with key size less than or equal to 1024 bits
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# that any RSA key with key size less than 1024 or greater than 2048 should
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# be disabled. Note that the "KeySizeConstraint" only makes sense to key
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# algorithms.
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# Note: This property is currently used by Oracle's PKIX implementation. It
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# is not guaranteed to be examined and used by other implementations.
6ee60ad4ab4c8f9e97de533a60c32f7e5c61912bjeff.schenk# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenkjdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
b61df94db8e71c225d3c3d9870894e4f6744ec69jeff.schenk# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
b61df94db8e71c225d3c3d9870894e4f6744ec69jeff.schenk# (SSL/TLS) processing
b61df94db8e71c225d3c3d9870894e4f6744ec69jeff.schenk# In some environments, certain algorithms or key lengths may be undesirable
b61df94db8e71c225d3c3d9870894e4f6744ec69jeff.schenk# when using SSL/TLS. This section describes the mechanism for disabling
b61df94db8e71c225d3c3d9870894e4f6744ec69jeff.schenk# algorithms during SSL/TLS security parameters negotiation, including cipher
b61df94db8e71c225d3c3d9870894e4f6744ec69jeff.schenk# suites selection, peer authentication and key exchange mechanisms.
b61df94db8e71c225d3c3d9870894e4f6744ec69jeff.schenk# For PKI-based peer authentication and key exchange mechanisms, this list
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# of disabled algorithms will also be checked during certification path
b61df94db8e71c225d3c3d9870894e4f6744ec69jeff.schenk# building and validation, including algorithms used in certificates, as
b61df94db8e71c225d3c3d9870894e4f6744ec69jeff.schenk# well as revocation information such as CRLs and signed OCSP Responses.
b61df94db8e71c225d3c3d9870894e4f6744ec69jeff.schenk# This is in addition to the jdk.certpath.disabledAlgorithms property above.
b61df94db8e71c225d3c3d9870894e4f6744ec69jeff.schenk# See the specification of "jdk.certpath.disabledAlgorithms" for the
b61df94db8e71c225d3c3d9870894e4f6744ec69jeff.schenk# syntax of the disabled algorithm string.
79943d71bcf8d4933e74f29a1b0e87f8898508cbPeter Major# Note: This property is currently used by Oracle's JSSE implementation.
79943d71bcf8d4933e74f29a1b0e87f8898508cbPeter Major# It is not guaranteed to be examined and used by other implementations.
3133cf1b294fb4042826d58b24e4a2d0216d0349jeff.schenk# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048