【问题标题】:What are valid values for the security parameter jdk.tls.disabledAlgorithms安全参数 jdk.tls.disabledAlgorithms 的有效值是什么
【发布时间】:2016-08-02 09:43:19
【问题描述】:

在网上我经常看到参数 jdk.tls.disabledAlgorithms(在 java.security 文件中设置)的配置示例,例如:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

是否有详尽的列表/指南来设置此参数的值,即它可以采用哪些值,以及如何构造这些值。

【问题讨论】:

  • 是的。来自documentation:“属性的确切语法在 java-home/lib/security/java.security 文件中进行了描述,但在这里进行了简要总结。”
  • 我不敢相信我错过了:(

标签: java jsse


【解决方案1】:

来自 java.security 文件(正如 EJP 在评论中提到的那样):

In some environments, certain algorithms or key lengths may be undesirable
for certification path building and validation.  For example, "MD2" is
generally no longer considered to be a secure hash algorithm.  This section
describes the mechanism for disabling algorithms based on algorithm name
and/or key length.  This includes algorithms used in certificates, as well
as revocation information such as CRLs and signed OCSP Responses.

The syntax of the disabled algorithm string is described as this Java
BNF-style:
  DisabledAlgorithms:
      " DisabledAlgorithm { , DisabledAlgorithm } "

  DisabledAlgorithm:
      AlgorithmName [Constraint]

  AlgorithmName:
      (see below)

  Constraint:
      KeySizeConstraint

  KeySizeConstraint:
      keySize Operator DecimalInteger

  Operator:
      <= | < | == | != | >= | >

  DecimalInteger:
      DecimalDigits

  DecimalDigits:
      DecimalDigit {DecimalDigit}

  DecimalDigit: one of
      1 2 3 4 5 6 7 8 9 0

The "AlgorithmName" is the standard algorithm name of the disabled
algorithm. See "Java Cryptography Architecture Standard Algorithm Name
Documentation" for information about Standard Algorithm Names.  Matching
is performed using a case-insensitive sub-element matching rule.  (For
example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
"ECDSA" for signatures.)  If the assertion "AlgorithmName" is a
sub-element of the certificate algorithm name, the algorithm will be
rejected during certification path building and validation.  For example,
the assertion algorithm name "DSA" will disable all certificate algorithms
that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
will not disable algorithms related to "ECDSA".

A "Constraint" provides further guidance for the algorithm being specified.
The "KeySizeConstraint" requires a key of a valid size range if the
"AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
key size specified in number of bits.  For example, "RSA keySize <= 1024"
indicates that any RSA key with key size less than or equal to 1024 bits
should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
that any RSA key with key size less than 1024 or greater than 2048 should
be disabled. Note that the "KeySizeConstraint" only makes sense to key
algorithms.

Note: This property is currently used by Oracle's PKIX implementation. It
is not guaranteed to be examined and used by other implementations.

Example:
  jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048

【讨论】:

    猜你喜欢
    • 2012-12-10
    • 2014-05-09
    • 2022-12-03
    • 1970-01-01
    • 2011-06-26
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多