280 # Example, |
280 # Example, |
281 # krb5.kdc.bad.policy = tryLast |
281 # krb5.kdc.bad.policy = tryLast |
282 # krb5.kdc.bad.policy = tryLess:2,2000 |
282 # krb5.kdc.bad.policy = tryLess:2,2000 |
283 krb5.kdc.bad.policy = tryLast |
283 krb5.kdc.bad.policy = tryLast |
284 |
284 |
|
285 # Algorithm restrictions for certification path (CertPath) processing |
|
286 # |
|
287 # In some environments, certain algorithms or key lengths may be undesirable |
|
288 # for certification path building and validation. For example, "MD2" is |
|
289 # generally no longer considered to be a secure hash algorithm. This section |
|
290 # describes the mechanism for disabling algorithms based on algorithm name |
|
291 # and/or key length. This includes algorithms used in certificates, as well |
|
292 # as revocation information such as CRLs and signed OCSP Responses. |
|
293 # |
|
294 # The syntax of the disabled algorithm string is described as this Java |
|
295 # BNF-style: |
|
296 # DisabledAlgorithms: |
|
297 # " DisabledAlgorithm { , DisabledAlgorithm } " |
|
298 # |
|
299 # DisabledAlgorithm: |
|
300 # AlgorithmName [Constraint] |
|
301 # |
|
302 # AlgorithmName: |
|
303 # (see below) |
|
304 # |
|
305 # Constraint: |
|
306 # KeySizeConstraint |
|
307 # |
|
308 # KeySizeConstraint: |
|
309 # keySize Operator DecimalInteger |
|
310 # |
|
311 # Operator: |
|
312 # <= | < | == | != | >= | > |
|
313 # |
|
314 # DecimalInteger: |
|
315 # DecimalDigits |
|
316 # |
|
317 # DecimalDigits: |
|
318 # DecimalDigit {DecimalDigit} |
|
319 # |
|
320 # DecimalDigit: one of |
|
321 # 1 2 3 4 5 6 7 8 9 0 |
|
322 # |
|
323 # The "AlgorithmName" is the standard algorithm name of the disabled |
|
324 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name |
|
325 # Documentation" for information about Standard Algorithm Names. Matching |
|
326 # is performed using a case-insensitive sub-element matching rule. (For |
|
327 # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and |
|
328 # "ECDSA" for signatures.) If the assertion "AlgorithmName" is a |
|
329 # sub-element of the certificate algorithm name, the algorithm will be |
|
330 # rejected during certification path building and validation. For example, |
|
331 # the assertion algorithm name "DSA" will disable all certificate algorithms |
|
332 # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion |
|
333 # will not disable algorithms related to "ECDSA". |
|
334 # |
|
335 # A "Constraint" provides further guidance for the algorithm being specified. |
|
336 # The "KeySizeConstraint" requires a key of a valid size range if the |
|
337 # "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the |
|
338 # key size specified in number of bits. For example, "RSA keySize <= 1024" |
|
339 # indicates that any RSA key with key size less than or equal to 1024 bits |
|
340 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates |
|
341 # that any RSA key with key size less than 1024 or greater than 2048 should |
|
342 # be disabled. Note that the "KeySizeConstraint" only makes sense to key |
|
343 # algorithms. |
|
344 # |
|
345 # Note: This property is currently used by Oracle's PKIX implementation. It |
|
346 # is not guaranteed to be examined and used by other implementations. |
|
347 # |
|
348 # Example: |
|
349 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 |
|
350 # |
|
351 # |
|
352 jdk.certpath.disabledAlgorithms=MD2 |
|
353 |
|
354 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security |
|
355 # (SSL/TLS) processing |
|
356 # |
|
357 # In some environments, certain algorithms or key lengths may be undesirable |
|
358 # when using SSL/TLS. This section describes the mechanism for disabling |
|
359 # algorithms during SSL/TLS security parameters negotiation, including cipher |
|
360 # suites selection, peer authentication and key exchange mechanisms. |
|
361 # |
|
362 # For PKI-based peer authentication and key exchange mechanisms, this list |
|
363 # of disabled algorithms will also be checked during certification path |
|
364 # building and validation, including algorithms used in certificates, as |
|
365 # well as revocation information such as CRLs and signed OCSP Responses. |
|
366 # This is in addition to the jdk.certpath.disabledAlgorithms property above. |
|
367 # |
|
368 # See the specification of "jdk.certpath.disabledAlgorithms" for the |
|
369 # syntax of the disabled algorithm string. |
|
370 # |
|
371 # Note: This property is currently used by Oracle's JSSE implementation. |
|
372 # It is not guaranteed to be examined and used by other implementations. |
|
373 # |
|
374 # Example: |
|
375 # jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 |
|
376 |