Java 安全参数jdk.tls.disabledAlgorithms的有效值是什么
在web上,我经常看到参数jdk.tls.disabledAlgorithms(在java.security文件中设置)的配置示例,例如:Java 安全参数jdk.tls.disabledAlgorithms的有效值是什么,java,jsse,Java,Jsse,在web上,我经常看到参数jdk.tls.disabledAlgorithms(在java.security文件中设置)的配置示例,例如: jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 jdk.certpath.disabledAlgorithms=MD2,RSA密钥大小 十进制整数: 小数位数 小数位数: 小数位数{小数位数} 小数位数:其中一位 1 2 3 4 5 6 7 8 9 0 “AlgorithmName”是残
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
jdk.certpath.disabledAlgorithms=MD2,RSA密钥大小<1024
是否有一个详尽的列表/指南来设置此参数的值,即它可以接受的所有值,以及如何构造这些值。来自java.security文件(如EJP在评论中提到的):
在某些环境中,某些算法或密钥长度可能不受欢迎
用于建立和验证认证路径。例如,“MD2”是
通常不再被认为是安全的哈希算法。本节
描述基于算法名称禁用算法的机制
和/或键长度。这也包括证书中使用的算法
作为撤销信息,如CRL和已签名的OCSP响应。
禁用的算法字符串的语法描述如下
BNF风格:
禁用算法:
DisabledAlgorithm{,DisabledAlgorithm}
可禁用的算法:
算法名称[约束]
算法名称:
(见下文)
约束条件:
KeySizeConstraint
KeySizeConstraint:
键大小运算符小数累加器
接线员:
= | >
十进制整数:
小数位数
小数位数:
小数位数{小数位数}
小数位数:其中一位
1 2 3 4 5 6 7 8 9 0
“AlgorithmName”是残疾人的标准算法名称
算法。请参阅“Java加密体系结构标准算法名称”
有关标准算法名称的信息,请参阅“文档”。匹配
使用不区分大小写的子元素匹配规则执行。(用于
例如,在“SHA1 WithECDSA”中,子元素是“SHA1”,用于哈希和
如果断言“AlgorithmName”是
证书算法名称的子元素,该算法将
在认证路径构建和验证期间被拒绝。例如
断言算法名称“DSA”将禁用所有证书算法
依赖DSA的,例如无需DSA,SHA1需DSA。然而,该断言
不会禁用与“ECDSA”相关的算法。
“约束”为指定的算法提供了进一步的指导。
如果
“AlgorithmName”是一个关键算法。“十进制整数”表示
以位数指定的密钥大小。例如,“RSA keySize 2048”表示
密钥大小小于1024或大于2048的任何RSA密钥
被禁用。请注意,“KeySizeConstraint”仅对键有意义
算法。
注意:此属性当前由Oracle的PKIX实现使用。信息技术
不保证被其他实现检查和使用。
例子:
jdk.certpath.disabledAlgorithms=MD2,DSA,RSA密钥大小<2048
In some environments, certain algorithms or key lengths may be undesirable
for certification path building and validation. For example, "MD2" is
generally no longer considered to be a secure hash algorithm. This section
describes the mechanism for disabling algorithms based on algorithm name
and/or key length. This includes algorithms used in certificates, as well
as revocation information such as CRLs and signed OCSP Responses.
The syntax of the disabled algorithm string is described as this Java
BNF-style:
DisabledAlgorithms:
" DisabledAlgorithm { , DisabledAlgorithm } "
DisabledAlgorithm:
AlgorithmName [Constraint]
AlgorithmName:
(see below)
Constraint:
KeySizeConstraint
KeySizeConstraint:
keySize Operator DecimalInteger
Operator:
<= | < | == | != | >= | >
DecimalInteger:
DecimalDigits
DecimalDigits:
DecimalDigit {DecimalDigit}
DecimalDigit: one of
1 2 3 4 5 6 7 8 9 0
The "AlgorithmName" is the standard algorithm name of the disabled
algorithm. See "Java Cryptography Architecture Standard Algorithm Name
Documentation" for information about Standard Algorithm Names. Matching
is performed using a case-insensitive sub-element matching rule. (For
example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
"ECDSA" for signatures.) If the assertion "AlgorithmName" is a
sub-element of the certificate algorithm name, the algorithm will be
rejected during certification path building and validation. For example,
the assertion algorithm name "DSA" will disable all certificate algorithms
that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
will not disable algorithms related to "ECDSA".
A "Constraint" provides further guidance for the algorithm being specified.
The "KeySizeConstraint" requires a key of a valid size range if the
"AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
key size specified in number of bits. For example, "RSA keySize <= 1024"
indicates that any RSA key with key size less than or equal to 1024 bits
should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
that any RSA key with key size less than 1024 or greater than 2048 should
be disabled. Note that the "KeySizeConstraint" only makes sense to key
algorithms.
Note: This property is currently used by Oracle's PKIX implementation. It
is not guaranteed to be examined and used by other implementations.
Example:
jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048