jdk/src/share/lib/security/java.security-windows
author mullan
Wed, 22 Feb 2012 15:38:24 -0500
changeset 13035 27b066eebe1f
parent 8769 728aa3db9869
child 13042 44d134b0557e
permissions -rw-r--r--
7145239: Finetune package definition restriction Reviewed-by: hawtin
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     1
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
     2
# This is the "master security properties file".
90ce3da70b43 Initial load
duke
parents:
diff changeset
     3
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
     4
# In this file, various security properties are set for use by
90ce3da70b43 Initial load
duke
parents:
diff changeset
     5
# java.security classes. This is where users can statically register
90ce3da70b43 Initial load
duke
parents:
diff changeset
     6
# Cryptography Package Providers ("providers" for short). The term
90ce3da70b43 Initial load
duke
parents:
diff changeset
     7
# "provider" refers to a package or set of packages that supply a
90ce3da70b43 Initial load
duke
parents:
diff changeset
     8
# concrete implementation of a subset of the cryptography aspects of
90ce3da70b43 Initial load
duke
parents:
diff changeset
     9
# the Java Security API. A provider may, for example, implement one or
90ce3da70b43 Initial load
duke
parents:
diff changeset
    10
# more digital signature algorithms or message digest algorithms.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    11
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    12
# Each provider must implement a subclass of the Provider class.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    13
# To register a provider in this master security properties file,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    14
# specify the Provider subclass name and priority in the format
90ce3da70b43 Initial load
duke
parents:
diff changeset
    15
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    16
#    security.provider.<n>=<className>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    17
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    18
# This declares a provider, and specifies its preference
90ce3da70b43 Initial load
duke
parents:
diff changeset
    19
# order n. The preference order is the order in which providers are
90ce3da70b43 Initial load
duke
parents:
diff changeset
    20
# searched for requested algorithms (when no specific provider is
90ce3da70b43 Initial load
duke
parents:
diff changeset
    21
# requested). The order is 1-based; 1 is the most preferred, followed
90ce3da70b43 Initial load
duke
parents:
diff changeset
    22
# by 2, and so on.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    23
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    24
# <className> must specify the subclass of the Provider class whose
90ce3da70b43 Initial load
duke
parents:
diff changeset
    25
# constructor sets the values of various properties that are required
90ce3da70b43 Initial load
duke
parents:
diff changeset
    26
# for the Java Security API to look up the algorithms or other
90ce3da70b43 Initial load
duke
parents:
diff changeset
    27
# facilities implemented by the provider.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    28
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    29
# There must be at least one provider specification in java.security.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    30
# There is a default provider that comes standard with the JDK. It
90ce3da70b43 Initial load
duke
parents:
diff changeset
    31
# is called the "SUN" provider, and its Provider subclass
90ce3da70b43 Initial load
duke
parents:
diff changeset
    32
# named Sun appears in the sun.security.provider package. Thus, the
90ce3da70b43 Initial load
duke
parents:
diff changeset
    33
# "SUN" provider is registered via the following:
90ce3da70b43 Initial load
duke
parents:
diff changeset
    34
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    35
#    security.provider.1=sun.security.provider.Sun
90ce3da70b43 Initial load
duke
parents:
diff changeset
    36
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    37
# (The number 1 is used for the default provider.)
90ce3da70b43 Initial load
duke
parents:
diff changeset
    38
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    39
# Note: Providers can be dynamically registered instead by calls to
90ce3da70b43 Initial load
duke
parents:
diff changeset
    40
# either the addProvider or insertProviderAt method in the Security
90ce3da70b43 Initial load
duke
parents:
diff changeset
    41
# class.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    42
90ce3da70b43 Initial load
duke
parents:
diff changeset
    43
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    44
# List of providers and their preference orders (see above):
90ce3da70b43 Initial load
duke
parents:
diff changeset
    45
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    46
security.provider.1=sun.security.provider.Sun
90ce3da70b43 Initial load
duke
parents:
diff changeset
    47
security.provider.2=sun.security.rsa.SunRsaSign
3492
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    48
security.provider.3=sun.security.ec.SunEC
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    49
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    50
security.provider.5=com.sun.crypto.provider.SunJCE
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    51
security.provider.6=sun.security.jgss.SunProvider
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    52
security.provider.7=com.sun.security.sasl.Provider
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    53
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    54
security.provider.9=sun.security.smartcardio.SunPCSC
e549cea58864 6840752: Provide out-of-the-box support for ECC algorithms
vinnie
parents: 3448
diff changeset
    55
security.provider.10=sun.security.mscapi.SunMSCAPI
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    56
90ce3da70b43 Initial load
duke
parents:
diff changeset
    57
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    58
# Select the source of seed data for SecureRandom. By default an
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
    59
# attempt is made to use the entropy gathering device specified by
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    60
# the securerandom.source property. If an exception occurs when
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
    61
# accessing the URL then the traditional system/thread activity
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
    62
# algorithm is used.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    63
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    64
# On Solaris and Linux systems, if file:/dev/urandom is specified and it
90ce3da70b43 Initial load
duke
parents:
diff changeset
    65
# exists, a special SecureRandom implementation is activated by default.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    66
# This "NativePRNG" reads random bytes directly from /dev/urandom.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    67
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    68
# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
90ce3da70b43 Initial load
duke
parents:
diff changeset
    69
# enables use of the Microsoft CryptoAPI seed functionality.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    70
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    71
securerandom.source=file:/dev/urandom
90ce3da70b43 Initial load
duke
parents:
diff changeset
    72
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    73
# The entropy gathering device is described as a URL and can also
90ce3da70b43 Initial load
duke
parents:
diff changeset
    74
# be specified with the system property "java.security.egd". For example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    75
#   -Djava.security.egd=file:/dev/urandom
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
    76
# Specifying this system property will override the securerandom.source
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    77
# setting.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    78
90ce3da70b43 Initial load
duke
parents:
diff changeset
    79
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    80
# Class to instantiate as the javax.security.auth.login.Configuration
90ce3da70b43 Initial load
duke
parents:
diff changeset
    81
# provider.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    82
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    83
login.configuration.provider=com.sun.security.auth.login.ConfigFile
90ce3da70b43 Initial load
duke
parents:
diff changeset
    84
90ce3da70b43 Initial load
duke
parents:
diff changeset
    85
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    86
# Default login configuration file
90ce3da70b43 Initial load
duke
parents:
diff changeset
    87
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    88
#login.config.url.1=file:${user.home}/.java.login.config
90ce3da70b43 Initial load
duke
parents:
diff changeset
    89
90ce3da70b43 Initial load
duke
parents:
diff changeset
    90
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    91
# Class to instantiate as the system Policy. This is the name of the class
90ce3da70b43 Initial load
duke
parents:
diff changeset
    92
# that will be used as the Policy object.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    93
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    94
policy.provider=sun.security.provider.PolicyFile
90ce3da70b43 Initial load
duke
parents:
diff changeset
    95
90ce3da70b43 Initial load
duke
parents:
diff changeset
    96
# The default is to have a single system-wide policy file,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    97
# and a policy file in the user's home directory.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    98
policy.url.1=file:${java.home}/lib/security/java.policy
90ce3da70b43 Initial load
duke
parents:
diff changeset
    99
policy.url.2=file:${user.home}/.java.policy
90ce3da70b43 Initial load
duke
parents:
diff changeset
   100
90ce3da70b43 Initial load
duke
parents:
diff changeset
   101
# whether or not we expand properties in the policy file
90ce3da70b43 Initial load
duke
parents:
diff changeset
   102
# if this is set to false, properties (${...}) will not be expanded in policy
90ce3da70b43 Initial load
duke
parents:
diff changeset
   103
# files.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   104
policy.expandProperties=true
90ce3da70b43 Initial load
duke
parents:
diff changeset
   105
90ce3da70b43 Initial load
duke
parents:
diff changeset
   106
# whether or not we allow an extra policy to be passed on the command line
90ce3da70b43 Initial load
duke
parents:
diff changeset
   107
# with -Djava.security.policy=somefile. Comment out this line to disable
90ce3da70b43 Initial load
duke
parents:
diff changeset
   108
# this feature.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   109
policy.allowSystemProperty=true
90ce3da70b43 Initial load
duke
parents:
diff changeset
   110
90ce3da70b43 Initial load
duke
parents:
diff changeset
   111
# whether or not we look into the IdentityScope for trusted Identities
90ce3da70b43 Initial load
duke
parents:
diff changeset
   112
# when encountering a 1.1 signed JAR file. If the identity is found
90ce3da70b43 Initial load
duke
parents:
diff changeset
   113
# and is trusted, we grant it AllPermission.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   114
policy.ignoreIdentityScope=false
90ce3da70b43 Initial load
duke
parents:
diff changeset
   115
90ce3da70b43 Initial load
duke
parents:
diff changeset
   116
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   117
# Default keystore type.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   118
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   119
keystore.type=jks
90ce3da70b43 Initial load
duke
parents:
diff changeset
   120
90ce3da70b43 Initial load
duke
parents:
diff changeset
   121
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   122
# List of comma-separated packages that start with or equal this string
90ce3da70b43 Initial load
duke
parents:
diff changeset
   123
# will cause a security exception to be thrown when
90ce3da70b43 Initial load
duke
parents:
diff changeset
   124
# passed to checkPackageAccess unless the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   125
# corresponding RuntimePermission ("accessClassInPackage."+package) has
90ce3da70b43 Initial load
duke
parents:
diff changeset
   126
# been granted.
8769
728aa3db9869 7020513: Add com.sun.xml.internal to the "package.access" property in $JAVA_HOME/lib/security/java.security
ramap
parents: 7047
diff changeset
   127
package.access=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   128
90ce3da70b43 Initial load
duke
parents:
diff changeset
   129
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   130
# List of comma-separated packages that start with or equal this string
90ce3da70b43 Initial load
duke
parents:
diff changeset
   131
# will cause a security exception to be thrown when
90ce3da70b43 Initial load
duke
parents:
diff changeset
   132
# passed to checkPackageDefinition unless the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   133
# corresponding RuntimePermission ("defineClassInPackage."+package) has
90ce3da70b43 Initial load
duke
parents:
diff changeset
   134
# been granted.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   135
#
13035
27b066eebe1f 7145239: Finetune package definition restriction
mullan
parents: 8769
diff changeset
   136
# by default, none of the class loaders supplied with the JDK call
27b066eebe1f 7145239: Finetune package definition restriction
mullan
parents: 8769
diff changeset
   137
# checkPackageDefinition.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   138
#
13035
27b066eebe1f 7145239: Finetune package definition restriction
mullan
parents: 8769
diff changeset
   139
package.definition=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   140
90ce3da70b43 Initial load
duke
parents:
diff changeset
   141
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   142
# Determines whether this properties file can be appended to
90ce3da70b43 Initial load
duke
parents:
diff changeset
   143
# or overridden on the command line via -Djava.security.properties
90ce3da70b43 Initial load
duke
parents:
diff changeset
   144
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   145
security.overridePropertiesFile=true
90ce3da70b43 Initial load
duke
parents:
diff changeset
   146
90ce3da70b43 Initial load
duke
parents:
diff changeset
   147
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   148
# Determines the default key and trust manager factory algorithms for
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   149
# the javax.net.ssl package.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   150
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   151
ssl.KeyManagerFactory.algorithm=SunX509
90ce3da70b43 Initial load
duke
parents:
diff changeset
   152
ssl.TrustManagerFactory.algorithm=PKIX
90ce3da70b43 Initial load
duke
parents:
diff changeset
   153
90ce3da70b43 Initial load
duke
parents:
diff changeset
   154
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   155
# The Java-level namelookup cache policy for successful lookups:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   156
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   157
# any negative value: caching forever
90ce3da70b43 Initial load
duke
parents:
diff changeset
   158
# any positive value: the number of seconds to cache an address for
90ce3da70b43 Initial load
duke
parents:
diff changeset
   159
# zero: do not cache
90ce3da70b43 Initial load
duke
parents:
diff changeset
   160
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   161
# default value is forever (FOREVER). For security reasons, this
90ce3da70b43 Initial load
duke
parents:
diff changeset
   162
# caching is made forever when a security manager is set. When a security
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   163
# manager is not set, the default behavior in this implementation
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   164
# is to cache for 30 seconds.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   165
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   166
# NOTE: setting this to anything other than the default value can have
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   167
#       serious security implications. Do not set it unless
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   168
#       you are sure you are not exposed to DNS spoofing attack.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   169
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   170
#networkaddress.cache.ttl=-1
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   171
90ce3da70b43 Initial load
duke
parents:
diff changeset
   172
# The Java-level namelookup cache policy for failed lookups:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   173
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   174
# any negative value: cache forever
90ce3da70b43 Initial load
duke
parents:
diff changeset
   175
# any positive value: the number of seconds to cache negative lookup results
90ce3da70b43 Initial load
duke
parents:
diff changeset
   176
# zero: do not cache
90ce3da70b43 Initial load
duke
parents:
diff changeset
   177
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   178
# In some Microsoft Windows networking environments that employ
90ce3da70b43 Initial load
duke
parents:
diff changeset
   179
# the WINS name service in addition to DNS, name service lookups
90ce3da70b43 Initial load
duke
parents:
diff changeset
   180
# that fail may take a noticeably long time to return (approx. 5 seconds).
90ce3da70b43 Initial load
duke
parents:
diff changeset
   181
# For this reason the default caching policy is to maintain these
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   182
# results for 10 seconds.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   183
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   184
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   185
networkaddress.cache.negative.ttl=10
90ce3da70b43 Initial load
duke
parents:
diff changeset
   186
90ce3da70b43 Initial load
duke
parents:
diff changeset
   187
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   188
# Properties to configure OCSP for certificate revocation checking
90ce3da70b43 Initial load
duke
parents:
diff changeset
   189
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   190
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   191
# Enable OCSP
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   192
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   193
# By default, OCSP is not used for certificate revocation checking.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   194
# This property enables the use of OCSP when set to the value "true".
90ce3da70b43 Initial load
duke
parents:
diff changeset
   195
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   196
# NOTE: SocketPermission is required to connect to an OCSP responder.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   197
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   198
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   199
#   ocsp.enable=true
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   200
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   201
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   202
# Location of the OCSP responder
90ce3da70b43 Initial load
duke
parents:
diff changeset
   203
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   204
# By default, the location of the OCSP responder is determined implicitly
90ce3da70b43 Initial load
duke
parents:
diff changeset
   205
# from the certificate being validated. This property explicitly specifies
90ce3da70b43 Initial load
duke
parents:
diff changeset
   206
# the location of the OCSP responder. The property is used when the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   207
# Authority Information Access extension (defined in RFC 3280) is absent
90ce3da70b43 Initial load
duke
parents:
diff changeset
   208
# from the certificate or when it requires overriding.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   209
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   210
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   211
#   ocsp.responderURL=http://ocsp.example.net:80
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   212
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   213
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   214
# Subject name of the OCSP responder's certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   215
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   216
# By default, the certificate of the OCSP responder is that of the issuer
90ce3da70b43 Initial load
duke
parents:
diff changeset
   217
# of the certificate being validated. This property identifies the certificate
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   218
# of the OCSP responder when the default does not apply. Its value is a string
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   219
# distinguished name (defined in RFC 2253) which identifies a certificate in
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   220
# the set of certificates supplied during cert path validation. In cases where
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   221
# the subject name alone is not sufficient to uniquely identify the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   222
# then both the "ocsp.responderCertIssuerName" and
90ce3da70b43 Initial load
duke
parents:
diff changeset
   223
# "ocsp.responderCertSerialNumber" properties must be used instead. When this
90ce3da70b43 Initial load
duke
parents:
diff changeset
   224
# property is set then those two properties are ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   225
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   226
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   227
#   ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   228
90ce3da70b43 Initial load
duke
parents:
diff changeset
   229
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   230
# Issuer name of the OCSP responder's certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   231
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   232
# By default, the certificate of the OCSP responder is that of the issuer
90ce3da70b43 Initial load
duke
parents:
diff changeset
   233
# of the certificate being validated. This property identifies the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   234
# of the OCSP responder when the default does not apply. Its value is a string
90ce3da70b43 Initial load
duke
parents:
diff changeset
   235
# distinguished name (defined in RFC 2253) which identifies a certificate in
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   236
# the set of certificates supplied during cert path validation. When this
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   237
# property is set then the "ocsp.responderCertSerialNumber" property must also
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   238
# be set. When the "ocsp.responderCertSubjectName" property is set then this
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   239
# property is ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   240
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   241
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   242
#   ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   243
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   244
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   245
# Serial number of the OCSP responder's certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   246
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   247
# By default, the certificate of the OCSP responder is that of the issuer
90ce3da70b43 Initial load
duke
parents:
diff changeset
   248
# of the certificate being validated. This property identifies the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   249
# of the OCSP responder when the default does not apply. Its value is a string
90ce3da70b43 Initial load
duke
parents:
diff changeset
   250
# of hexadecimal digits (colon or space separators may be present) which
90ce3da70b43 Initial load
duke
parents:
diff changeset
   251
# identifies a certificate in the set of certificates supplied during cert path
90ce3da70b43 Initial load
duke
parents:
diff changeset
   252
# validation. When this property is set then the "ocsp.responderCertIssuerName"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   253
# property must also be set. When the "ocsp.responderCertSubjectName" property
90ce3da70b43 Initial load
duke
parents:
diff changeset
   254
# is set then this property is ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   255
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   256
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   257
#   ocsp.responderCertSerialNumber=2A:FF:00
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   258
6311
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   259
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   260
# Policy for failed Kerberos KDC lookups:
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   261
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   262
# When a KDC is unavailable (network error, service failure, etc), it is
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   263
# put inside a blacklist and accessed less often for future requests. The
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   264
# value (case-insensitive) for this policy can be:
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   265
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   266
# tryLast
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   267
#    KDCs in the blacklist are always tried after those not on the list.
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   268
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   269
# tryLess[:max_retries,timeout]
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   270
#    KDCs in the blacklist are still tried by their order in the configuration,
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   271
#    but with smaller max_retries and timeout values. max_retries and timeout
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   272
#    are optional numerical parameters (default 1 and 5000, which means once
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   273
#    and 5 seconds). Please notes that if any of the values defined here is
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   274
#    more than what is defined in krb5.conf, it will be ignored.
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   275
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   276
# Whenever a KDC is detected as available, it is removed from the blacklist.
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   277
# The blacklist is reset when krb5.conf is reloaded. You can add
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   278
# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   279
# reloaded whenever a JAAS authentication is attempted.
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   280
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   281
# Example,
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   282
#   krb5.kdc.bad.policy = tryLast
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   283
#   krb5.kdc.bad.policy = tryLess:2,2000
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   284
krb5.kdc.bad.policy = tryLast
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   285
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   286
# Algorithm restrictions for certification path (CertPath) processing
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   287
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   288
# In some environments, certain algorithms or key lengths may be undesirable
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   289
# for certification path building and validation.  For example, "MD2" is
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   290
# generally no longer considered to be a secure hash algorithm.  This section
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   291
# describes the mechanism for disabling algorithms based on algorithm name
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   292
# and/or key length.  This includes algorithms used in certificates, as well
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   293
# as revocation information such as CRLs and signed OCSP Responses.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   294
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   295
# The syntax of the disabled algorithm string is described as this Java
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   296
# BNF-style:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   297
#   DisabledAlgorithms:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   298
#       " DisabledAlgorithm { , DisabledAlgorithm } "
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   299
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   300
#   DisabledAlgorithm:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   301
#       AlgorithmName [Constraint]
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   302
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   303
#   AlgorithmName:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   304
#       (see below)
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   305
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   306
#   Constraint:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   307
#       KeySizeConstraint
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   308
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   309
#   KeySizeConstraint:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   310
#       keySize Operator DecimalInteger
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   311
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   312
#   Operator:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   313
#       <= | < | == | != | >= | >
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   314
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   315
#   DecimalInteger:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   316
#       DecimalDigits
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   317
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   318
#   DecimalDigits:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   319
#       DecimalDigit {DecimalDigit}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   320
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   321
#   DecimalDigit: one of
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   322
#       1 2 3 4 5 6 7 8 9 0
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   323
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   324
# The "AlgorithmName" is the standard algorithm name of the disabled
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   325
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   326
# Documentation" for information about Standard Algorithm Names.  Matching
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   327
# is performed using a case-insensitive sub-element matching rule.  (For
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   328
# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   329
# "ECDSA" for signatures.)  If the assertion "AlgorithmName" is a
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   330
# sub-element of the certificate algorithm name, the algorithm will be
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   331
# rejected during certification path building and validation.  For example,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   332
# the assertion algorithm name "DSA" will disable all certificate algorithms
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   333
# that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   334
# will not disable algorithms related to "ECDSA".
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   335
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   336
# A "Constraint" provides further guidance for the algorithm being specified.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   337
# The "KeySizeConstraint" requires a key of a valid size range if the
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   338
# "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   339
# key size specified in number of bits.  For example, "RSA keySize <= 1024"
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   340
# indicates that any RSA key with key size less than or equal to 1024 bits
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   341
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   342
# that any RSA key with key size less than 1024 or greater than 2048 should
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   343
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   344
# algorithms.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   345
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   346
# Note: This property is currently used by Oracle's PKIX implementation. It
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   347
# is not guaranteed to be examined and used by other implementations.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   348
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   349
# Example:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   350
#   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   351
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   352
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   353
jdk.certpath.disabledAlgorithms=MD2
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   354
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   355
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   356
# (SSL/TLS) processing
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   357
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   358
# In some environments, certain algorithms or key lengths may be undesirable
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   359
# when using SSL/TLS.  This section describes the mechanism for disabling
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   360
# algorithms during SSL/TLS security parameters negotiation, including cipher
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   361
# suites selection, peer authentication and key exchange mechanisms.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   362
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   363
# For PKI-based peer authentication and key exchange mechanisms, this list
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   364
# of disabled algorithms will also be checked during certification path
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   365
# building and validation, including algorithms used in certificates, as
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   366
# well as revocation information such as CRLs and signed OCSP Responses.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   367
# This is in addition to the jdk.certpath.disabledAlgorithms property above.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   368
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   369
# See the specification of "jdk.certpath.disabledAlgorithms" for the
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   370
# syntax of the disabled algorithm string.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   371
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   372
# Note: This property is currently used by Oracle's JSSE implementation.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   373
# It is not guaranteed to be examined and used by other implementations.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   374
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   375
# Example:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   376
#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   377