2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering#

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# This is the "master security properties file".

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering#

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# In this file, various security properties are set for use by

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# java.security classes. This is where users can statically register

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# Cryptography Package Providers ("providers" for short). The term

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# "provider" refers to a package or set of packages that supply a

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# concrete implementation of a subset of the cryptography aspects of

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# the Java Security API. A provider may, for example, implement one or

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# more digital signature algorithms or message digest algorithms.

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering#

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# Each provider must implement a subclass of the Provider class.

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# To register a provider in this master security properties file,

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# specify the Provider subclass name and priority in the format

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering#

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# security.provider.<n>=<className>

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering#

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# This declares a provider, and specifies its preference

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# order n. The preference order is the order in which providers are

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# searched for requested algorithms (when no specific provider is

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# requested). The order is 1-based; 1 is the most preferred, followed

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# by 2, and so on.

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# <className> must specify the subclass of the Provider class whose

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# constructor sets the values of various properties that are required

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# for the Java Security API to look up the algorithms or other

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# facilities implemented by the provider.

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering#

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# There must be at least one provider specification in java.security.

b872e9a05939bc3e0ac95a042592506a7488dd6fLennart Poettering# There is a default provider that comes standard with the JDK. It

b872e9a05939bc3e0ac95a042592506a7488dd6fLennart Poettering# is called the "SUN" provider, and its Provider subclass

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# named Sun appears in the sun.security.provider package. Thus, the

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# "SUN" provider is registered via the following:

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# security.provider.1=sun.security.provider.Sun

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# (The number 1 is used for the default provider.)

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# Note: Providers can be dynamically registered instead by calls to

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# either the addProvider or insertProviderAt method in the Security

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# class.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# List of providers and their preference orders (see above):

885fdebc13b13307555e4b837fae604bcc4e72b4Lennart Poettering#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sieverssecurity.provider.1=sun.security.provider.Sun

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sieverssecurity.provider.2=sun.security.rsa.SunRsaSign

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sieverssecurity.provider.3=sun.security.ec.SunEC

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sieverssecurity.provider.4=com.sun.net.ssl.internal.ssl.Provider

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sieverssecurity.provider.5=com.sun.crypto.provider.SunJCE

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sieverssecurity.provider.6=sun.security.jgss.SunProvider

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sieverssecurity.provider.7=com.sun.security.sasl.Provider

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sieverssecurity.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI

885fdebc13b13307555e4b837fae604bcc4e72b4Lennart Poetteringsecurity.provider.9=sun.security.smartcardio.SunPCSC

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sieverssecurity.provider.10=sun.security.mscapi.SunMSCAPI

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# Select the source of seed data for SecureRandom. By default an

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# attempt is made to use the entropy gathering device specified by

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# the securerandom.source property. If an exception occurs when

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# accessing the URL then the traditional system/thread activity

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# algorithm is used.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

885fdebc13b13307555e4b837fae604bcc4e72b4Lennart Poettering# On Solaris and Linux systems, if file:/dev/urandom is specified and it

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# exists, a special SecureRandom implementation is activated by default.

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# This "NativePRNG" reads random bytes directly from /dev/urandom.

34e5a31ec5897de8ba1436dad53df99637569d0aLennart Poettering#

34e5a31ec5897de8ba1436dad53df99637569d0aLennart Poettering# On Windows systems, the URLs file:/dev/random and file:/dev/urandom

34e5a31ec5897de8ba1436dad53df99637569d0aLennart Poettering# enables use of the Microsoft CryptoAPI seed functionality.

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers#

bc6f2e7c62bcd08177f879423188c54289694619Kay Sieverssecurerandom.source=file:/dev/urandom

b47d419c25ecc735615a1088060c1ec8bef1e41fZbigniew Jędrzejewski-Szmek#

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers# The entropy gathering device is described as a URL and can also

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers# be specified with the system property "java.security.egd". For example,

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers# -Djava.security.egd=file:/dev/urandom

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers# Specifying this system property will override the securerandom.source

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers# setting.

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers#

b47d419c25ecc735615a1088060c1ec8bef1e41fZbigniew Jędrzejewski-Szmek# Class to instantiate as the javax.security.auth.login.Configuration

b47d419c25ecc735615a1088060c1ec8bef1e41fZbigniew Jędrzejewski-Szmek# provider.

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers#

bc6f2e7c62bcd08177f879423188c54289694619Kay Sieverslogin.configuration.provider=com.sun.security.auth.login.ConfigFile

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers#

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers# Default login configuration file

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers#

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers#login.config.url.1=file:${user.home}/.java.login.config

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers#

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers# Class to instantiate as the system Policy. This is the name of the class

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers# that will be used as the Policy object.

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers#

bc6f2e7c62bcd08177f879423188c54289694619Kay Sieverspolicy.provider=sun.security.provider.PolicyFile

bc6f2e7c62bcd08177f879423188c54289694619Kay Sievers

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# The default is to have a single system-wide policy file,

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# and a policy file in the user's home directory.

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poetteringpolicy.url.1=file:${java.home}/lib/security/java.policy

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poetteringpolicy.url.2=file:${user.home}/.java.policy

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# whether or not we expand properties in the policy file

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# if this is set to false, properties (${...}) will not be expanded in policy

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# files.

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poetteringpolicy.expandProperties=true

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# whether or not we allow an extra policy to be passed on the command line

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# with -Djava.security.policy=somefile. Comment out this line to disable

0797f2329ceeb989147416bdb368de4c21bad608Zbigniew Jędrzejewski-Szmek# this feature.

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poetteringpolicy.allowSystemProperty=true

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# whether or not we look into the IdentityScope for trusted Identities

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# when encountering a 1.1 signed JAR file. If the identity is found

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# and is trusted, we grant it AllPermission.

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poetteringpolicy.ignoreIdentityScope=false

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering#

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# Default keystore type.

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering#

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poetteringkeystore.type=jks

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering#

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# List of comma-separated packages that start with or equal this string

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# will cause a security exception to be thrown when

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# passed to checkPackageAccess unless the

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# corresponding RuntimePermission ("accessClassInPackage."+package) has

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# been granted.

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poetteringpackage.access=sun.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering com.sun.corba.se.impl.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering com.sun.xml.internal.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering com.sun.imageio.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering com.sun.istack.internal.,\

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering com.sun.jmx.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering com.sun.proxy.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering com.sun.org.apache.bcel.internal.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering com.sun.org.apache.regexp.internal.,\

0797f2329ceeb989147416bdb368de4c21bad608Zbigniew Jędrzejewski-Szmek com.sun.org.apache.xerces.internal.,\

0797f2329ceeb989147416bdb368de4c21bad608Zbigniew Jędrzejewski-Szmek com.sun.org.apache.xpath.internal.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering com.sun.org.apache.xalan.internal.extensions.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering com.sun.org.apache.xalan.internal.lib.,\

0797f2329ceeb989147416bdb368de4c21bad608Zbigniew Jędrzejewski-Szmek com.sun.org.apache.xalan.internal.res.,\

0797f2329ceeb989147416bdb368de4c21bad608Zbigniew Jędrzejewski-Szmek com.sun.org.apache.xalan.internal.templates.,\

742af54adce09e019b37093af66b2f22b4ae9330Zbigniew Jędrzejewski-Szmek com.sun.org.apache.xalan.internal.utils.,\

0797f2329ceeb989147416bdb368de4c21bad608Zbigniew Jędrzejewski-Szmek com.sun.org.apache.xalan.internal.xslt.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering com.sun.org.apache.xalan.internal.xsltc.cmdline.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering com.sun.org.apache.xalan.internal.xsltc.compiler.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering com.sun.org.apache.xalan.internal.xsltc.trax.,\

0797f2329ceeb989147416bdb368de4c21bad608Zbigniew Jędrzejewski-Szmek com.sun.org.apache.xalan.internal.xsltc.util.,\

0797f2329ceeb989147416bdb368de4c21bad608Zbigniew Jędrzejewski-Szmek com.sun.org.apache.xml.internal.res.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering com.sun.org.apache.xml.internal.serializer.utils.,\

0797f2329ceeb989147416bdb368de4c21bad608Zbigniew Jędrzejewski-Szmek com.sun.org.apache.xml.internal.utils.,\

0797f2329ceeb989147416bdb368de4c21bad608Zbigniew Jędrzejewski-Szmek com.sun.org.glassfish.,\

ff47c895c8c2132ef98ef4182213a0ba79eefb73Lennart Poettering com.sun.java.accessibility.,\

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering oracle.jrockit.jfr.

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering#

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# List of comma-separated packages that start with or equal this string

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# will cause a security exception to be thrown when

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# passed to checkPackageDefinition unless the

2e3d069236777cd62f755a02f4a239306b4ad21aLennart Poettering# corresponding RuntimePermission ("defineClassInPackage."+package) has

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# been granted.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# by default, none of the class loaders supplied with the JDK call

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# checkPackageDefinition.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sieverspackage.definition=sun.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.corba.se.impl.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.xml.internal.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.imageio.,\

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek com.sun.istack.internal.,\

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek com.sun.jmx.,\

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek com.sun.proxy.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.org.apache.bcel.internal.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.org.apache.regexp.internal.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.org.apache.xerces.internal.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.org.apache.xpath.internal.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.org.apache.xalan.internal.extensions.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.org.apache.xalan.internal.lib.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.org.apache.xalan.internal.res.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.org.apache.xalan.internal.templates.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.org.apache.xalan.internal.utils.,\

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek com.sun.org.apache.xalan.internal.xslt.,\

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek com.sun.org.apache.xalan.internal.xsltc.cmdline.,\

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek com.sun.org.apache.xalan.internal.xsltc.compiler.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.org.apache.xalan.internal.xsltc.trax.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.org.apache.xalan.internal.xsltc.util.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.org.apache.xml.internal.res.,\

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek com.sun.org.apache.xml.internal.serializer.utils.,\

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek com.sun.org.apache.xml.internal.utils.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.org.glassfish.,\

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers com.sun.java.accessibility.,\

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek oracle.jrockit.jfr.

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# Determines whether this properties file can be appended to

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# or overridden on the command line via -Djava.security.properties

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmeksecurity.overridePropertiesFile=true

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# Determines the default key and trust manager factory algorithms for

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# the javax.net.ssl package.

39883f622f392d8579f4428fc5a789a102efbb10Lennart Poettering#

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poetteringssl.KeyManagerFactory.algorithm=SunX509

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poetteringssl.TrustManagerFactory.algorithm=PKIX

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering#

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# The Java-level namelookup cache policy for successful lookups:

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering#

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# any negative value: caching forever

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# any positive value: the number of seconds to cache an address for

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# zero: do not cache

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering#

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# default value is forever (FOREVER). For security reasons, this

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# caching is made forever when a security manager is set. When a security

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# manager is not set, the default behavior in this implementation

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# is to cache for 30 seconds.

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# NOTE: setting this to anything other than the default value can have

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# serious security implications. Do not set it unless

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# you are sure you are not exposed to DNS spoofing attack.

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#networkaddress.cache.ttl=-1

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# The Java-level namelookup cache policy for failed lookups:

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# any negative value: cache forever

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# any positive value: the number of seconds to cache negative lookup results

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# zero: do not cache

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# In some Microsoft Windows networking environments that employ

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# the WINS name service in addition to DNS, name service lookups

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# that fail may take a noticeably long time to return (approx. 5 seconds).

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# For this reason the default caching policy is to maintain these

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# results for 10 seconds.

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sieversnetworkaddress.cache.negative.ttl=10

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# Properties to configure OCSP for certificate revocation checking

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# Enable OCSP

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# By default, OCSP is not used for certificate revocation checking.

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# This property enables the use of OCSP when set to the value "true".

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering#

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# NOTE: SocketPermission is required to connect to an OCSP responder.

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering#

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# Example,

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# ocsp.enable=true

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# Location of the OCSP responder

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# By default, the location of the OCSP responder is determined implicitly

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# from the certificate being validated. This property explicitly specifies

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# the location of the OCSP responder. The property is used when the

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek# Authority Information Access extension (defined in RFC 3280) is absent

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# from the certificate or when it requires overriding.

a8436474fa5fa02b8ecf3c23be04de2bca8b4c03Zbigniew Jędrzejewski-Szmek#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# Example,

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek# ocsp.responderURL=http://ocsp.example.net:80

a8436474fa5fa02b8ecf3c23be04de2bca8b4c03Zbigniew Jędrzejewski-Szmek

a8436474fa5fa02b8ecf3c23be04de2bca8b4c03Zbigniew Jędrzejewski-Szmek#

a8436474fa5fa02b8ecf3c23be04de2bca8b4c03Zbigniew Jędrzejewski-Szmek# Subject name of the OCSP responder's certificate

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# By default, the certificate of the OCSP responder is that of the issuer

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# of the certificate being validated. This property identifies the certificate

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# of the OCSP responder when the default does not apply. Its value is a string

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# distinguished name (defined in RFC 2253) which identifies a certificate in

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# the set of certificates supplied during cert path validation. In cases where

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# the subject name alone is not sufficient to uniquely identify the certificate

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# then both the "ocsp.responderCertIssuerName" and

5483a18693871e67cff6d85e43ca843cd976d019Zbigniew Jędrzejewski-Szmek# "ocsp.responderCertSerialNumber" properties must be used instead. When this

5483a18693871e67cff6d85e43ca843cd976d019Zbigniew Jędrzejewski-Szmek# property is set then those two properties are ignored.

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek#

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek# Example,

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# Issuer name of the OCSP responder's certificate

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# By default, the certificate of the OCSP responder is that of the issuer

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# of the certificate being validated. This property identifies the certificate

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# of the OCSP responder when the default does not apply. Its value is a string

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# distinguished name (defined in RFC 2253) which identifies a certificate in

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# the set of certificates supplied during cert path validation. When this

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# property is set then the "ocsp.responderCertSerialNumber" property must also

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# be set. When the "ocsp.responderCertSubjectName" property is set then this

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# property is ignored.

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# Example,

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# Serial number of the OCSP responder's certificate

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# By default, the certificate of the OCSP responder is that of the issuer

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# of the certificate being validated. This property identifies the certificate

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# of the OCSP responder when the default does not apply. Its value is a string

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# of hexadecimal digits (colon or space separators may be present) which

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# identifies a certificate in the set of certificates supplied during cert path

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# validation. When this property is set then the "ocsp.responderCertIssuerName"

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# property must also be set. When the "ocsp.responderCertSubjectName" property

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# is set then this property is ignored.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# Example,

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# ocsp.responderCertSerialNumber=2A:FF:00

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# Policy for failed Kerberos KDC lookups:

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

5483a18693871e67cff6d85e43ca843cd976d019Zbigniew Jędrzejewski-Szmek# When a KDC is unavailable (network error, service failure, etc), it is

5483a18693871e67cff6d85e43ca843cd976d019Zbigniew Jędrzejewski-Szmek# put inside a blacklist and accessed less often for future requests. The

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# value (case-insensitive) for this policy can be:

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# tryLast

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# KDCs in the blacklist are always tried after those not on the list.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# tryLess[:max_retries,timeout]

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# KDCs in the blacklist are still tried by their order in the configuration,

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# but with smaller max_retries and timeout values. max_retries and timeout

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# are optional numerical parameters (default 1 and 5000, which means once

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# and 5 seconds). Please notes that if any of the values defined here is

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# more than what is defined in krb5.conf, it will be ignored.

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek# Whenever a KDC is detected as available, it is removed from the blacklist.

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# The blacklist is reset when krb5.conf is reloaded. You can add

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek# reloaded whenever a JAAS authentication is attempted.

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers#

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# Example,

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek# krb5.kdc.bad.policy = tryLast

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# krb5.kdc.bad.policy = tryLess:2,2000

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmekkrb5.kdc.bad.policy = tryLast

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# Algorithm restrictions for certification path (CertPath) processing

0aa3b7830fd59d8b4ca275e9a9c4e79f8a23ff6dZbigniew Jędrzejewski-Szmek#

9cde64ff264c432fc83be638e57d8fd6392793a6Lennart Poettering# In some environments, certain algorithms or key lengths may be undesirable

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# for certification path building and validation. For example, "MD2" is

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# generally no longer considered to be a secure hash algorithm. This section

7b4d7cc08283e5485dcfa49ffdf1915de1d5e81bKay Sievers# describes the mechanism for disabling algorithms based on algorithm name

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# and/or key length. This includes algorithms used in certificates, as well

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# as revocation information such as CRLs and signed OCSP Responses.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# The syntax of the disabled algorithm string is described as this Java

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# BNF-style:

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# DisabledAlgorithms:

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# " DisabledAlgorithm { , DisabledAlgorithm } "

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# DisabledAlgorithm:

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# AlgorithmName [Constraint]

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# AlgorithmName:

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# (see below)

885fdebc13b13307555e4b837fae604bcc4e72b4Lennart Poettering#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# Constraint:

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# KeySizeConstraint

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# KeySizeConstraint:

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# keySize Operator DecimalInteger

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# Operator:

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# <= | < | == | != | >= | >

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# DecimalInteger:

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# DecimalDigits

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# DecimalDigits:

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# DecimalDigit {DecimalDigit}

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# DecimalDigit: one of

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# 1 2 3 4 5 6 7 8 9 0

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# The "AlgorithmName" is the standard algorithm name of the disabled

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# algorithm. See "Java Cryptography Architecture Standard Algorithm Name

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# Documentation" for information about Standard Algorithm Names. Matching

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# is performed using a case-insensitive sub-element matching rule. (For

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# sub-element of the certificate algorithm name, the algorithm will be

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# rejected during certification path building and validation. For example,

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# the assertion algorithm name "DSA" will disable all certificate algorithms

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# will not disable algorithms related to "ECDSA".

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# A "Constraint" provides further guidance for the algorithm being specified.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# The "KeySizeConstraint" requires a key of a valid size range if the

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# key size specified in number of bits. For example, "RSA keySize <= 1024"

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# indicates that any RSA key with key size less than or equal to 1024 bits

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# that any RSA key with key size less than 1024 or greater than 2048 should

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# be disabled. Note that the "KeySizeConstraint" only makes sense to key

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# algorithms.

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# Note: This property is currently used by Oracle's PKIX implementation. It

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# is not guaranteed to be examined and used by other implementations.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# Example:

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmekjdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

b7749eb517ff5dd379cf61ee9fb50a0105ab2c0fZbigniew Jędrzejewski-Szmek

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# Algorithm restrictions for Secure Socket Layer/Transport Layer Security

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# (SSL/TLS) processing

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# In some environments, certain algorithms or key lengths may be undesirable

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# when using SSL/TLS. This section describes the mechanism for disabling

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# algorithms during SSL/TLS security parameters negotiation, including cipher

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# suites selection, peer authentication and key exchange mechanisms.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# For PKI-based peer authentication and key exchange mechanisms, this list

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# of disabled algorithms will also be checked during certification path

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# building and validation, including algorithms used in certificates, as

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# well as revocation information such as CRLs and signed OCSP Responses.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# This is in addition to the jdk.certpath.disabledAlgorithms property above.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# See the specification of "jdk.certpath.disabledAlgorithms" for the

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# syntax of the disabled algorithm string.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# Note: This property is currently used by Oracle's JSSE implementation.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# It is not guaranteed to be examined and used by other implementations.

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers#

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# Example:

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers

0974a682d155a5874123ba7de9c1e314c6681e0fKay Sievers