--- a/jdk/src/java.base/share/conf/security/java.security Thu Aug 31 08:35:16 2017 -0700
+++ b/jdk/src/java.base/share/conf/security/java.security Thu Aug 31 12:48:19 2017 -0700
@@ -678,6 +678,7 @@
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224
+#
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
#
@@ -742,6 +743,7 @@
RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC
+#
# The pre-defined default finite field Diffie-Hellman ephemeral (DHE)
# parameters for Transport Layer Security (SSL/TLS/DTLS) processing.
#
@@ -799,54 +801,38 @@
# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
# FFFFFFFF FFFFFFFF, 2}
+#
# Cryptographic Jurisdiction Policy defaults
#
-# Due to the import control restrictions of some countries, the default
-# JCE policy files allow for strong but "limited" cryptographic key
-# lengths to be used. If your country's cryptographic regulations allow,
-# the "unlimited" strength policy files can be used instead, which contain
-# no restrictions on cryptographic strengths.
+# Import and export control rules on cryptographic software vary from
+# country to country. By default, Java provides two different sets of
+# cryptographic policy files[1]:
+#
+# unlimited: These policy files contain no restrictions on cryptographic
+# strengths or algorithms
+#
+# limited: These policy files contain more restricted cryptographic
+# strengths
#
-# If your country has restrictions that don't fit either "limited" or
-# "unlimited", an appropriate set of policy files should be created and
-# configured before using this distribution. The jurisdiction policy file
-# configuration must reflect the cryptographic restrictions appropriate
-# for your country.
+# The default setting is determined by the value of the “crypto.policy”
+# Security property below. If your country or usage requires the
+# traditional restrictive policy, the “limited” Java cryptographic
+# policy is still available and may be appropriate for your environment.
+#
+# If you have restrictions that do not fit either use case mentioned
+# above, Java provides the capability to customize these policy files.
+# The “crypto.policy” security property points to a subdirectory
+# within <java-home>/conf/security/policy/ which can be customized.
+# Please see the <java-home>/conf/security/policy/README.txt file or consult
+# the Java Security Guide/JCA documentation for more information.
#
# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
# TO DETERMINE THE EXACT REQUIREMENTS.
#
-# The policy files are flat text files organized into subdirectories of
-# <java-home>/conf/security/policy. Each directory contains a complete
-# set of policy files.
-#
-# The "crypto.policy" Security property controls the directory selection,
-# and thus the effective cryptographic policy.
-#
-# The default set of directories is:
-#
-# limited | unlimited
-#
-# however other directories can be created and configured.
-#
-# Within a directory, the effective policy is the combined minimum
-# permissions of the grant statements in the file(s) with the filename
-# pattern "default_*.policy". At least one grant is required. For
-# example:
-#
-# limited = Export (all) + Import (limited) = Limited
-# unlimited = Export (all) + Import (all) = Unlimited
-#
-# The effective exemption policy is the combined minimum permissions
-# of the grant statements in the file(s) with the filename pattern
-# "exempt_*.policy". Exemption grants are optional.
-#
-# limited = grants exemption permissions, by which the
-# effective policy can be circumvented.
-# e.g. KeyRecovery/Escrow/Weakening.
-#
-# Please see the JCA documentation for additional information on these
-# files and formats.
+# [1] Please note that the JCE for Java SE, including the JCE framework,
+# cryptographic policy files, and standard JCE providers provided with
+# the Java SE, have been reviewed and approved for export as mass market
+# encryption item by the US Bureau of Industry and Security.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.