540 # It is not guaranteed to be examined and used by other implementations. |
540 # It is not guaranteed to be examined and used by other implementations. |
541 # |
541 # |
542 # Example: |
542 # Example: |
543 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 |
543 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 |
544 jdk.tls.disabledAlgorithms=SSLv3, RC4 |
544 jdk.tls.disabledAlgorithms=SSLv3, RC4 |
|
545 |
|
546 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) |
|
547 # processing in JSSE implementation. |
|
548 # |
|
549 # In some environments, a certain algorithm may be undesirable but it |
|
550 # cannot be disabled because of its use in legacy applications. Legacy |
|
551 # algorithms may still be supported, but applications should not use them |
|
552 # as the security strength of legacy algorithms are usually not strong enough |
|
553 # in practice. |
|
554 # |
|
555 # During SSL/TLS security parameters negotiation, legacy algorithms will |
|
556 # not be negotiated unless there are no other candidates. |
|
557 # |
|
558 # The syntax of the disabled algorithm string is described as this Java |
|
559 # BNF-style: |
|
560 # LegacyAlgorithms: |
|
561 # " LegacyAlgorithm { , LegacyAlgorithm } " |
|
562 # |
|
563 # LegacyAlgorithm: |
|
564 # AlgorithmName (standard JSSE algorithm name) |
|
565 # |
|
566 # See the specification of security property "jdk.certpath.disabledAlgorithms" |
|
567 # for the syntax and description of the "AlgorithmName" notation. |
|
568 # |
|
569 # Per SSL/TLS specifications, cipher suites have the form: |
|
570 # SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg |
|
571 # or |
|
572 # TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg |
|
573 # |
|
574 # For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the |
|
575 # key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC |
|
576 # mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest |
|
577 # algorithm for HMAC. |
|
578 # |
|
579 # The LegacyAlgorithm can be one of the following standard algorithm names: |
|
580 # 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA |
|
581 # 2. JSSE key exchange algorithm name, e.g., RSA |
|
582 # 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC |
|
583 # 4. JSSE message digest algorithm name, e.g., SHA-1 |
|
584 # |
|
585 # See SSL/TLS specifications and "Java Cryptography Architecture Standard |
|
586 # Algorithm Name Documentation" for information about the algorithm names. |
|
587 # |
|
588 # Note: This property is currently used by Oracle's JSSE implementation. |
|
589 # It is not guaranteed to be examined and used by other implementations. |
|
590 # There is no guarantee the property will continue to exist or be of the |
|
591 # same syntax in future releases. |
|
592 # |
|
593 # Example: |
|
594 # jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5 |
|
595 # |
|
596 jdk.tls.legacyAlgorithms= \ |
|
597 K_NULL, C_NULL, M_NULL, \ |
|
598 DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ |
|
599 DH_RSA_EXPORT, RSA_EXPORT, \ |
|
600 DH_anon, ECDH_anon, \ |
|
601 RC4_128, RC4_40, DES_CBC, DES40_CBC |