jdk/src/share/lib/security/java.security
author mullan
Wed, 22 Feb 2012 15:38:24 -0500
changeset 13035 27b066eebe1f
parent 8769 728aa3db9869
child 13042 44d134b0557e
permissions -rw-r--r--
7145239: Finetune package definition restriction Reviewed-by: hawtin
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     1
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
     2
# This is the "master security properties file".
90ce3da70b43 Initial load
duke
parents:
diff changeset
     3
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
     4
# In this file, various security properties are set for use by
90ce3da70b43 Initial load
duke
parents:
diff changeset
     5
# java.security classes. This is where users can statically register
90ce3da70b43 Initial load
duke
parents:
diff changeset
     6
# Cryptography Package Providers ("providers" for short). The term
90ce3da70b43 Initial load
duke
parents:
diff changeset
     7
# "provider" refers to a package or set of packages that supply a
90ce3da70b43 Initial load
duke
parents:
diff changeset
     8
# concrete implementation of a subset of the cryptography aspects of
90ce3da70b43 Initial load
duke
parents:
diff changeset
     9
# the Java Security API. A provider may, for example, implement one or
90ce3da70b43 Initial load
duke
parents:
diff changeset
    10
# more digital signature algorithms or message digest algorithms.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    11
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    12
# Each provider must implement a subclass of the Provider class.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    13
# To register a provider in this master security properties file,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    14
# specify the Provider subclass name and priority in the format
90ce3da70b43 Initial load
duke
parents:
diff changeset
    15
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    16
#    security.provider.<n>=<className>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    17
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    18
# This declares a provider, and specifies its preference
90ce3da70b43 Initial load
duke
parents:
diff changeset
    19
# order n. The preference order is the order in which providers are
90ce3da70b43 Initial load
duke
parents:
diff changeset
    20
# searched for requested algorithms (when no specific provider is
90ce3da70b43 Initial load
duke
parents:
diff changeset
    21
# requested). The order is 1-based; 1 is the most preferred, followed
90ce3da70b43 Initial load
duke
parents:
diff changeset
    22
# by 2, and so on.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    23
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    24
# <className> must specify the subclass of the Provider class whose
90ce3da70b43 Initial load
duke
parents:
diff changeset
    25
# constructor sets the values of various properties that are required
90ce3da70b43 Initial load
duke
parents:
diff changeset
    26
# for the Java Security API to look up the algorithms or other
90ce3da70b43 Initial load
duke
parents:
diff changeset
    27
# facilities implemented by the provider.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    28
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    29
# There must be at least one provider specification in java.security.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    30
# There is a default provider that comes standard with the JDK. It
90ce3da70b43 Initial load
duke
parents:
diff changeset
    31
# is called the "SUN" provider, and its Provider subclass
90ce3da70b43 Initial load
duke
parents:
diff changeset
    32
# named Sun appears in the sun.security.provider package. Thus, the
90ce3da70b43 Initial load
duke
parents:
diff changeset
    33
# "SUN" provider is registered via the following:
90ce3da70b43 Initial load
duke
parents:
diff changeset
    34
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    35
#    security.provider.1=sun.security.provider.Sun
90ce3da70b43 Initial load
duke
parents:
diff changeset
    36
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    37
# (The number 1 is used for the default provider.)
90ce3da70b43 Initial load
duke
parents:
diff changeset
    38
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    39
# Note: Providers can be dynamically registered instead by calls to
90ce3da70b43 Initial load
duke
parents:
diff changeset
    40
# either the addProvider or insertProviderAt method in the Security
90ce3da70b43 Initial load
duke
parents:
diff changeset
    41
# class.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    42
90ce3da70b43 Initial load
duke
parents:
diff changeset
    43
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    44
# List of providers and their preference orders (see above):
90ce3da70b43 Initial load
duke
parents:
diff changeset
    45
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    46
security.provider.1=sun.security.provider.Sun
90ce3da70b43 Initial load
duke
parents:
diff changeset
    47
security.provider.2=sun.security.rsa.SunRsaSign
3492
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    48
security.provider.3=sun.security.ec.SunEC
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    49
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    50
security.provider.5=com.sun.crypto.provider.SunJCE
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    51
security.provider.6=sun.security.jgss.SunProvider
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    52
security.provider.7=com.sun.security.sasl.Provider
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    53
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    54
security.provider.9=sun.security.smartcardio.SunPCSC
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    55
90ce3da70b43 Initial load
duke
parents:
diff changeset
    56
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    57
# Select the source of seed data for SecureRandom. By default an
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
    58
# attempt is made to use the entropy gathering device specified by
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    59
# the securerandom.source property. If an exception occurs when
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
    60
# accessing the URL then the traditional system/thread activity
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
    61
# algorithm is used.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    62
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    63
# On Solaris and Linux systems, if file:/dev/urandom is specified and it
90ce3da70b43 Initial load
duke
parents:
diff changeset
    64
# exists, a special SecureRandom implementation is activated by default.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    65
# This "NativePRNG" reads random bytes directly from /dev/urandom.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    66
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    67
# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
90ce3da70b43 Initial load
duke
parents:
diff changeset
    68
# enables use of the Microsoft CryptoAPI seed functionality.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    69
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    70
securerandom.source=file:/dev/urandom
90ce3da70b43 Initial load
duke
parents:
diff changeset
    71
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    72
# The entropy gathering device is described as a URL and can also
90ce3da70b43 Initial load
duke
parents:
diff changeset
    73
# be specified with the system property "java.security.egd". For example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    74
#   -Djava.security.egd=file:/dev/urandom
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
    75
# Specifying this system property will override the securerandom.source
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    76
# setting.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    77
90ce3da70b43 Initial load
duke
parents:
diff changeset
    78
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    79
# Class to instantiate as the javax.security.auth.login.Configuration
90ce3da70b43 Initial load
duke
parents:
diff changeset
    80
# provider.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    81
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    82
login.configuration.provider=com.sun.security.auth.login.ConfigFile
90ce3da70b43 Initial load
duke
parents:
diff changeset
    83
90ce3da70b43 Initial load
duke
parents:
diff changeset
    84
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    85
# Default login configuration file
90ce3da70b43 Initial load
duke
parents:
diff changeset
    86
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    87
#login.config.url.1=file:${user.home}/.java.login.config
90ce3da70b43 Initial load
duke
parents:
diff changeset
    88
90ce3da70b43 Initial load
duke
parents:
diff changeset
    89
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    90
# Class to instantiate as the system Policy. This is the name of the class
90ce3da70b43 Initial load
duke
parents:
diff changeset
    91
# that will be used as the Policy object.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    92
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    93
policy.provider=sun.security.provider.PolicyFile
90ce3da70b43 Initial load
duke
parents:
diff changeset
    94
90ce3da70b43 Initial load
duke
parents:
diff changeset
    95
# The default is to have a single system-wide policy file,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    96
# and a policy file in the user's home directory.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    97
policy.url.1=file:${java.home}/lib/security/java.policy
90ce3da70b43 Initial load
duke
parents:
diff changeset
    98
policy.url.2=file:${user.home}/.java.policy
90ce3da70b43 Initial load
duke
parents:
diff changeset
    99
90ce3da70b43 Initial load
duke
parents:
diff changeset
   100
# whether or not we expand properties in the policy file
90ce3da70b43 Initial load
duke
parents:
diff changeset
   101
# if this is set to false, properties (${...}) will not be expanded in policy
90ce3da70b43 Initial load
duke
parents:
diff changeset
   102
# files.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   103
policy.expandProperties=true
90ce3da70b43 Initial load
duke
parents:
diff changeset
   104
90ce3da70b43 Initial load
duke
parents:
diff changeset
   105
# whether or not we allow an extra policy to be passed on the command line
90ce3da70b43 Initial load
duke
parents:
diff changeset
   106
# with -Djava.security.policy=somefile. Comment out this line to disable
90ce3da70b43 Initial load
duke
parents:
diff changeset
   107
# this feature.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   108
policy.allowSystemProperty=true
90ce3da70b43 Initial load
duke
parents:
diff changeset
   109
90ce3da70b43 Initial load
duke
parents:
diff changeset
   110
# whether or not we look into the IdentityScope for trusted Identities
90ce3da70b43 Initial load
duke
parents:
diff changeset
   111
# when encountering a 1.1 signed JAR file. If the identity is found
90ce3da70b43 Initial load
duke
parents:
diff changeset
   112
# and is trusted, we grant it AllPermission.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   113
policy.ignoreIdentityScope=false
90ce3da70b43 Initial load
duke
parents:
diff changeset
   114
90ce3da70b43 Initial load
duke
parents:
diff changeset
   115
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   116
# Default keystore type.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   117
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   118
keystore.type=jks
90ce3da70b43 Initial load
duke
parents:
diff changeset
   119
90ce3da70b43 Initial load
duke
parents:
diff changeset
   120
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   121
# List of comma-separated packages that start with or equal this string
90ce3da70b43 Initial load
duke
parents:
diff changeset
   122
# will cause a security exception to be thrown when
90ce3da70b43 Initial load
duke
parents:
diff changeset
   123
# passed to checkPackageAccess unless the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   124
# corresponding RuntimePermission ("accessClassInPackage."+package) has
90ce3da70b43 Initial load
duke
parents:
diff changeset
   125
# been granted.
8769
728aa3db9869 7020513: Add com.sun.xml.internal to the "package.access" property in $JAVA_HOME/lib/security/java.security
ramap
parents: 7040
diff changeset
   126
package.access=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   127
90ce3da70b43 Initial load
duke
parents:
diff changeset
   128
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   129
# List of comma-separated packages that start with or equal this string
90ce3da70b43 Initial load
duke
parents:
diff changeset
   130
# will cause a security exception to be thrown when
90ce3da70b43 Initial load
duke
parents:
diff changeset
   131
# passed to checkPackageDefinition unless the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   132
# corresponding RuntimePermission ("defineClassInPackage."+package) has
90ce3da70b43 Initial load
duke
parents:
diff changeset
   133
# been granted.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   134
#
13035
27b066eebe1f 7145239: Finetune package definition restriction
mullan
parents: 8769
diff changeset
   135
# by default, none of the class loaders supplied with the JDK call
27b066eebe1f 7145239: Finetune package definition restriction
mullan
parents: 8769
diff changeset
   136
# checkPackageDefinition.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   137
#
13035
27b066eebe1f 7145239: Finetune package definition restriction
mullan
parents: 8769
diff changeset
   138
package.definition=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   139
90ce3da70b43 Initial load
duke
parents:
diff changeset
   140
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   141
# Determines whether this properties file can be appended to
90ce3da70b43 Initial load
duke
parents:
diff changeset
   142
# or overridden on the command line via -Djava.security.properties
90ce3da70b43 Initial load
duke
parents:
diff changeset
   143
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   144
security.overridePropertiesFile=true
90ce3da70b43 Initial load
duke
parents:
diff changeset
   145
90ce3da70b43 Initial load
duke
parents:
diff changeset
   146
#
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   147
# Determines the default key and trust manager factory algorithms for
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   148
# the javax.net.ssl package.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   149
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   150
ssl.KeyManagerFactory.algorithm=SunX509
90ce3da70b43 Initial load
duke
parents:
diff changeset
   151
ssl.TrustManagerFactory.algorithm=PKIX
90ce3da70b43 Initial load
duke
parents:
diff changeset
   152
90ce3da70b43 Initial load
duke
parents:
diff changeset
   153
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   154
# The Java-level namelookup cache policy for successful lookups:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   155
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   156
# any negative value: caching forever
90ce3da70b43 Initial load
duke
parents:
diff changeset
   157
# any positive value: the number of seconds to cache an address for
90ce3da70b43 Initial load
duke
parents:
diff changeset
   158
# zero: do not cache
90ce3da70b43 Initial load
duke
parents:
diff changeset
   159
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   160
# default value is forever (FOREVER). For security reasons, this
90ce3da70b43 Initial load
duke
parents:
diff changeset
   161
# caching is made forever when a security manager is set. When a security
90ce3da70b43 Initial load
duke
parents:
diff changeset
   162
# manager is not set, the default behavior in this implementation
90ce3da70b43 Initial load
duke
parents:
diff changeset
   163
# is to cache for 30 seconds.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   164
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   165
# NOTE: setting this to anything other than the default value can have
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   166
#       serious security implications. Do not set it unless
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   167
#       you are sure you are not exposed to DNS spoofing attack.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   168
#
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   169
#networkaddress.cache.ttl=-1
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   170
90ce3da70b43 Initial load
duke
parents:
diff changeset
   171
# The Java-level namelookup cache policy for failed lookups:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   172
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   173
# any negative value: cache forever
90ce3da70b43 Initial load
duke
parents:
diff changeset
   174
# any positive value: the number of seconds to cache negative lookup results
90ce3da70b43 Initial load
duke
parents:
diff changeset
   175
# zero: do not cache
90ce3da70b43 Initial load
duke
parents:
diff changeset
   176
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   177
# In some Microsoft Windows networking environments that employ
90ce3da70b43 Initial load
duke
parents:
diff changeset
   178
# the WINS name service in addition to DNS, name service lookups
90ce3da70b43 Initial load
duke
parents:
diff changeset
   179
# that fail may take a noticeably long time to return (approx. 5 seconds).
90ce3da70b43 Initial load
duke
parents:
diff changeset
   180
# For this reason the default caching policy is to maintain these
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   181
# results for 10 seconds.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   182
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   183
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   184
networkaddress.cache.negative.ttl=10
90ce3da70b43 Initial load
duke
parents:
diff changeset
   185
90ce3da70b43 Initial load
duke
parents:
diff changeset
   186
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   187
# Properties to configure OCSP for certificate revocation checking
90ce3da70b43 Initial load
duke
parents:
diff changeset
   188
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   189
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   190
# Enable OCSP
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   191
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   192
# By default, OCSP is not used for certificate revocation checking.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   193
# This property enables the use of OCSP when set to the value "true".
90ce3da70b43 Initial load
duke
parents:
diff changeset
   194
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   195
# NOTE: SocketPermission is required to connect to an OCSP responder.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   196
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   197
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   198
#   ocsp.enable=true
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   199
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   200
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   201
# Location of the OCSP responder
90ce3da70b43 Initial load
duke
parents:
diff changeset
   202
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   203
# By default, the location of the OCSP responder is determined implicitly
90ce3da70b43 Initial load
duke
parents:
diff changeset
   204
# from the certificate being validated. This property explicitly specifies
90ce3da70b43 Initial load
duke
parents:
diff changeset
   205
# the location of the OCSP responder. The property is used when the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   206
# Authority Information Access extension (defined in RFC 3280) is absent
90ce3da70b43 Initial load
duke
parents:
diff changeset
   207
# from the certificate or when it requires overriding.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   208
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   209
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   210
#   ocsp.responderURL=http://ocsp.example.net:80
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   211
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   212
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   213
# Subject name of the OCSP responder's certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   214
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   215
# By default, the certificate of the OCSP responder is that of the issuer
90ce3da70b43 Initial load
duke
parents:
diff changeset
   216
# of the certificate being validated. This property identifies the certificate
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   217
# of the OCSP responder when the default does not apply. Its value is a string
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   218
# distinguished name (defined in RFC 2253) which identifies a certificate in
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   219
# the set of certificates supplied during cert path validation. In cases where
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   220
# the subject name alone is not sufficient to uniquely identify the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   221
# then both the "ocsp.responderCertIssuerName" and
90ce3da70b43 Initial load
duke
parents:
diff changeset
   222
# "ocsp.responderCertSerialNumber" properties must be used instead. When this
90ce3da70b43 Initial load
duke
parents:
diff changeset
   223
# property is set then those two properties are ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   224
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   225
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   226
#   ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   227
90ce3da70b43 Initial load
duke
parents:
diff changeset
   228
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   229
# Issuer name of the OCSP responder's certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   230
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   231
# By default, the certificate of the OCSP responder is that of the issuer
90ce3da70b43 Initial load
duke
parents:
diff changeset
   232
# of the certificate being validated. This property identifies the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   233
# of the OCSP responder when the default does not apply. Its value is a string
90ce3da70b43 Initial load
duke
parents:
diff changeset
   234
# distinguished name (defined in RFC 2253) which identifies a certificate in
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   235
# the set of certificates supplied during cert path validation. When this
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   236
# property is set then the "ocsp.responderCertSerialNumber" property must also
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   237
# be set. When the "ocsp.responderCertSubjectName" property is set then this
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   238
# property is ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   239
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   240
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   241
#   ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   242
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   243
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   244
# Serial number of the OCSP responder's certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   245
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   246
# By default, the certificate of the OCSP responder is that of the issuer
90ce3da70b43 Initial load
duke
parents:
diff changeset
   247
# of the certificate being validated. This property identifies the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   248
# of the OCSP responder when the default does not apply. Its value is a string
90ce3da70b43 Initial load
duke
parents:
diff changeset
   249
# of hexadecimal digits (colon or space separators may be present) which
90ce3da70b43 Initial load
duke
parents:
diff changeset
   250
# identifies a certificate in the set of certificates supplied during cert path
90ce3da70b43 Initial load
duke
parents:
diff changeset
   251
# validation. When this property is set then the "ocsp.responderCertIssuerName"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   252
# property must also be set. When the "ocsp.responderCertSubjectName" property
90ce3da70b43 Initial load
duke
parents:
diff changeset
   253
# is set then this property is ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   254
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   255
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   256
#   ocsp.responderCertSerialNumber=2A:FF:00
4531
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   257
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   258
#
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   259
# Policy for failed Kerberos KDC lookups:
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   260
#
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   261
# When a KDC is unavailable (network error, service failure, etc), it is
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   262
# put inside a blacklist and accessed less often for future requests. The
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   263
# value (case-insensitive) for this policy can be:
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   264
#
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   265
# tryLast
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   266
#    KDCs in the blacklist are always tried after those not on the list.
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   267
#
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   268
# tryLess[:max_retries,timeout]
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   269
#    KDCs in the blacklist are still tried by their order in the configuration,
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   270
#    but with smaller max_retries and timeout values. max_retries and timeout
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   271
#    are optional numerical parameters (default 1 and 5000, which means once
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   272
#    and 5 seconds). Please notes that if any of the values defined here is
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   273
#    more than what is defined in krb5.conf, it will be ignored.
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   274
#
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   275
# Whenever a KDC is detected as available, it is removed from the blacklist.
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   276
# The blacklist is reset when krb5.conf is reloaded. You can add
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   277
# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   278
# reloaded whenever a JAAS authentication is attempted.
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   279
#
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   280
# Example,
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   281
#   krb5.kdc.bad.policy = tryLast
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   282
#   krb5.kdc.bad.policy = tryLess:2,2000
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   283
krb5.kdc.bad.policy = tryLast
3a9206343ab2 6843127: krb5 should not try to access unavailable kdc too often
weijun
parents: 3492
diff changeset
   284
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   285
# Algorithm restrictions for certification path (CertPath) processing
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   286
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   287
# In some environments, certain algorithms or key lengths may be undesirable
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   288
# for certification path building and validation.  For example, "MD2" is
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   289
# generally no longer considered to be a secure hash algorithm.  This section
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   290
# describes the mechanism for disabling algorithms based on algorithm name
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   291
# and/or key length.  This includes algorithms used in certificates, as well
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   292
# as revocation information such as CRLs and signed OCSP Responses.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   293
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   294
# The syntax of the disabled algorithm string is described as this Java
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   295
# BNF-style:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   296
#   DisabledAlgorithms:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   297
#       " DisabledAlgorithm { , DisabledAlgorithm } "
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   298
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   299
#   DisabledAlgorithm:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   300
#       AlgorithmName [Constraint]
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   301
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   302
#   AlgorithmName:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   303
#       (see below)
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   304
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   305
#   Constraint:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   306
#       KeySizeConstraint
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   307
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   308
#   KeySizeConstraint:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   309
#       keySize Operator DecimalInteger
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   310
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   311
#   Operator:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   312
#       <= | < | == | != | >= | >
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   313
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   314
#   DecimalInteger:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   315
#       DecimalDigits
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   316
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   317
#   DecimalDigits:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   318
#       DecimalDigit {DecimalDigit}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   319
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   320
#   DecimalDigit: one of
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   321
#       1 2 3 4 5 6 7 8 9 0
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   322
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   323
# The "AlgorithmName" is the standard algorithm name of the disabled
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   324
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   325
# Documentation" for information about Standard Algorithm Names.  Matching
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   326
# is performed using a case-insensitive sub-element matching rule.  (For
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   327
# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   328
# "ECDSA" for signatures.)  If the assertion "AlgorithmName" is a
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   329
# sub-element of the certificate algorithm name, the algorithm will be
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   330
# rejected during certification path building and validation.  For example,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   331
# the assertion algorithm name "DSA" will disable all certificate algorithms
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   332
# that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   333
# will not disable algorithms related to "ECDSA".
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   334
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   335
# A "Constraint" provides further guidance for the algorithm being specified.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   336
# The "KeySizeConstraint" requires a key of a valid size range if the
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   337
# "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   338
# key size specified in number of bits.  For example, "RSA keySize <= 1024"
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   339
# indicates that any RSA key with key size less than or equal to 1024 bits
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   340
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   341
# that any RSA key with key size less than 1024 or greater than 2048 should
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   342
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   343
# algorithms.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   344
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   345
# Note: This property is currently used by Oracle's PKIX implementation. It
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   346
# is not guaranteed to be examined and used by other implementations.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   347
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   348
# Example:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   349
#   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   350
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   351
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   352
jdk.certpath.disabledAlgorithms=MD2
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   353
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   354
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   355
# (SSL/TLS) processing
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   356
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   357
# In some environments, certain algorithms or key lengths may be undesirable
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   358
# when using SSL/TLS.  This section describes the mechanism for disabling
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   359
# algorithms during SSL/TLS security parameters negotiation, including cipher
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   360
# suites selection, peer authentication and key exchange mechanisms.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   361
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   362
# For PKI-based peer authentication and key exchange mechanisms, this list
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   363
# of disabled algorithms will also be checked during certification path
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   364
# building and validation, including algorithms used in certificates, as
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   365
# well as revocation information such as CRLs and signed OCSP Responses.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   366
# This is in addition to the jdk.certpath.disabledAlgorithms property above.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   367
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   368
# See the specification of "jdk.certpath.disabledAlgorithms" for the
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   369
# syntax of the disabled algorithm string.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   370
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   371
# Note: This property is currently used by Oracle's JSSE implementation.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   372
# It is not guaranteed to be examined and used by other implementations.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   373
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   374
# Example:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   375
#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 4983
diff changeset
   376