539 # |
539 # |
540 # UsageConstraint: |
540 # UsageConstraint: |
541 # usage [TLSServer] [TLSClient] [SignedJAR] |
541 # usage [TLSServer] [TLSClient] [SignedJAR] |
542 # |
542 # |
543 # The "AlgorithmName" is the standard algorithm name of the disabled |
543 # The "AlgorithmName" is the standard algorithm name of the disabled |
544 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name |
544 # algorithm. See the Java Security Standard Algorithm Names Specification |
545 # Documentation" for information about Standard Algorithm Names. Matching |
545 # for information about Standard Algorithm Names. Matching is |
546 # is performed using a case-insensitive sub-element matching rule. (For |
546 # performed using a case-insensitive sub-element matching rule. (For |
547 # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and |
547 # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and |
548 # "ECDSA" for signatures.) If the assertion "AlgorithmName" is a |
548 # "ECDSA" for signatures.) If the assertion "AlgorithmName" is a |
549 # sub-element of the certificate algorithm name, the algorithm will be |
549 # sub-element of the certificate algorithm name, the algorithm will be |
550 # rejected during certification path building and validation. For example, |
550 # rejected during certification path building and validation. For example, |
551 # the assertion algorithm name "DSA" will disable all certificate algorithms |
551 # the assertion algorithm name "DSA" will disable all certificate algorithms |
675 # (SSL/TLS/DTLS) processing |
675 # (SSL/TLS/DTLS) processing |
676 # |
676 # |
677 # In some environments, certain algorithms or key lengths may be undesirable |
677 # In some environments, certain algorithms or key lengths may be undesirable |
678 # when using SSL/TLS/DTLS. This section describes the mechanism for disabling |
678 # when using SSL/TLS/DTLS. This section describes the mechanism for disabling |
679 # algorithms during SSL/TLS/DTLS security parameters negotiation, including |
679 # algorithms during SSL/TLS/DTLS security parameters negotiation, including |
680 # protocol version negotiation, cipher suites selection, peer authentication |
680 # protocol version negotiation, cipher suites selection, named groups |
681 # and key exchange mechanisms. |
681 # selection, signature schemes selection, peer authentication and key |
|
682 # exchange mechanisms. |
682 # |
683 # |
683 # Disabled algorithms will not be negotiated for SSL/TLS connections, even |
684 # Disabled algorithms will not be negotiated for SSL/TLS connections, even |
684 # if they are enabled explicitly in an application. |
685 # if they are enabled explicitly in an application. |
685 # |
686 # |
686 # For PKI-based peer authentication and key exchange mechanisms, this list |
687 # For PKI-based peer authentication and key exchange mechanisms, this list |
697 # |
698 # |
698 # Note: This property is currently used by the JDK Reference implementation. |
699 # Note: This property is currently used by the JDK Reference implementation. |
699 # It is not guaranteed to be examined and used by other implementations. |
700 # It is not guaranteed to be examined and used by other implementations. |
700 # |
701 # |
701 # Example: |
702 # Example: |
702 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 |
703 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \ |
|
704 # rsa_pkcs1_sha1, secp224r1 |
703 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ |
705 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ |
704 EC keySize < 224, 3DES_EDE_CBC, anon, NULL |
706 EC keySize < 224, 3DES_EDE_CBC, anon, NULL |
705 |
707 |
706 # |
708 # |
707 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) |
709 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) |
741 # 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA |
743 # 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA |
742 # 2. JSSE key exchange algorithm name, e.g., RSA |
744 # 2. JSSE key exchange algorithm name, e.g., RSA |
743 # 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC |
745 # 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC |
744 # 4. JSSE message digest algorithm name, e.g., SHA |
746 # 4. JSSE message digest algorithm name, e.g., SHA |
745 # |
747 # |
746 # See SSL/TLS specifications and "Java Cryptography Architecture Standard |
748 # See SSL/TLS specifications and the Java Security Standard Algorithm Names |
747 # Algorithm Name Documentation" for information about the algorithm names. |
749 # Specification for information about the algorithm names. |
748 # |
750 # |
749 # Note: If a legacy algorithm is also restricted through the |
751 # Note: If a legacy algorithm is also restricted through the |
750 # jdk.tls.disabledAlgorithms property or the |
752 # jdk.tls.disabledAlgorithms property or the |
751 # java.security.AlgorithmConstraints API (See |
753 # java.security.AlgorithmConstraints API (See |
752 # javax.net.ssl.SSLParameters.setAlgorithmConstraints()), |
754 # javax.net.ssl.SSLParameters.setAlgorithmConstraints()), |