From 5e6d08eebdf3b3a001403db51b3d9acbb377d52b Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Fri, 17 Dec 2021 13:22:01 +0100 Subject: [PATCH] committing changes in /etc made by "/usr/bin/apt full-upgrade -y" Package changes: -linux-firmware 1.187.20 all +linux-firmware 1.187.23 all -openjdk-11-jre 11.0.11+9-0ubuntu2~20.04 amd64 -openjdk-11-jre-headless 11.0.11+9-0ubuntu2~20.04 amd64 -openjdk-8-jdk 8u292-b10-0ubuntu1~20.04 amd64 -openjdk-8-jdk-headless 8u292-b10-0ubuntu1~20.04 amd64 -openjdk-8-jre 8u292-b10-0ubuntu1~20.04 amd64 -openjdk-8-jre-headless 8u292-b10-0ubuntu1~20.04 amd64 +openjdk-11-jre 11.0.13+8-0ubuntu1~20.04 amd64 +openjdk-11-jre-headless 11.0.13+8-0ubuntu1~20.04 amd64 +openjdk-8-jdk 8u312-b07-0ubuntu1~20.04 amd64 +openjdk-8-jdk-headless 8u312-b07-0ubuntu1~20.04 amd64 +openjdk-8-jre 8u312-b07-0ubuntu1~20.04 amd64 +openjdk-8-jre-headless 8u312-b07-0ubuntu1~20.04 amd64 --- java-11-openjdk/security/java.security | 100 ++++++++++++++++++++++--- java-8-openjdk/security/java.security | 10 +++ 2 files changed, 101 insertions(+), 9 deletions(-) diff --git a/java-11-openjdk/security/java.security b/java-11-openjdk/security/java.security index d1d8856..30a1f37 100644 --- a/java-11-openjdk/security/java.security +++ b/java-11-openjdk/security/java.security @@ -538,9 +538,9 @@ jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \ # include # # The "AlgorithmName" is the standard algorithm name of the disabled -# algorithm. See "Java Cryptography Architecture Standard Algorithm Name -# Documentation" for information about Standard Algorithm Names. Matching -# is performed using a case-insensitive sub-element matching rule. (For +# algorithm. See the Java Security Standard Algorithm Names Specification +# for information about Standard Algorithm Names. Matching is +# performed using a case-insensitive sub-element matching rule. (For # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and # "ECDSA" for signatures.) If the assertion "AlgorithmName" is a # sub-element of the certificate algorithm name, the algorithm will be @@ -703,8 +703,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS/DTLS. This section describes the mechanism for disabling # algorithms during SSL/TLS/DTLS security parameters negotiation, including -# protocol version negotiation, cipher suites selection, peer authentication -# and key exchange mechanisms. +# protocol version negotiation, cipher suites selection, named groups +# selection, signature schemes selection, peer authentication and key +# exchange mechanisms. # # Disabled algorithms will not be negotiated for SSL/TLS connections, even # if they are enabled explicitly in an application. @@ -725,7 +726,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \ +# rsa_pkcs1_sha1, secp224r1 jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves @@ -770,8 +772,8 @@ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ # 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC # 4. JSSE message digest algorithm name, e.g., SHA # -# See SSL/TLS specifications and "Java Cryptography Architecture Standard -# Algorithm Name Documentation" for information about the algorithm names. +# See SSL/TLS specifications and the Java Security Standard Algorithm Names +# Specification for information about the algorithm names. # # Note: If a legacy algorithm is also restricted through the # jdk.tls.disabledAlgorithms property or the @@ -1122,6 +1124,77 @@ jdk.xml.dsig.secureValidationPolicy=\ jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep;\ java.base/java.security.KeyRep$Type;java.base/javax.crypto.spec.SecretKeySpec;!* +# +# PKCS12 KeyStore properties +# +# The following properties, if configured, are used by the PKCS12 KeyStore +# implementation during the creation of a new keystore. Several of the +# properties may also be used when modifying an existing keystore. The +# properties can be overridden by a KeyStore API that specifies its own +# algorithms and parameters. +# +# If an existing PKCS12 keystore is loaded and then stored, the algorithm and +# parameter used to generate the existing Mac will be reused. If the existing +# keystore does not have a Mac, no Mac will be created while storing. If there +# is at least one certificate in the existing keystore, the algorithm and +# parameters used to encrypt the last certificate in the existing keystore will +# be reused to encrypt all certificates while storing. If the last certificate +# in the existing keystore is not encrypted, all certificates will be stored +# unencrypted. If there is no certificate in the existing keystore, any newly +# added certificate will be encrypted (or stored unencrypted if algorithm +# value is "NONE") using the "keystore.pkcs12.certProtectionAlgorithm" and +# "keystore.pkcs12.certPbeIterationCount" values defined here. Existing private +# and secret key(s) are not changed. Newly set private and secret key(s) will +# be encrypted using the "keystore.pkcs12.keyProtectionAlgorithm" and +# "keystore.pkcs12.keyPbeIterationCount" values defined here. +# +# In order to apply new algorithms and parameters to all entries in an +# existing keystore, one can create a new keystore and add entries in the +# existing keystore into the new keystore. This can be achieved by calling the +# "keytool -importkeystore" command. +# +# If a system property of the same name is also specified, it supersedes the +# security property value defined here. +# +# If the property is set to an illegal value, +# an iteration count that is not a positive integer, or an unknown algorithm +# name, an exception will be thrown when the property is used. +# If the property is not set or empty, a default value will be used. +# +# Note: These properties are currently used by the JDK Reference implementation. +# They are not guaranteed to be examined and used by other implementations. + +# The algorithm used to encrypt a certificate. This can be any non-Hmac PBE +# algorithm defined in the Cipher section of the Java Security Standard +# Algorithm Names Specification. When set to "NONE", the certificate +# is not encrypted. The default value is "PBEWithHmacSHA256AndAES_256". +#keystore.pkcs12.certProtectionAlgorithm = PBEWithHmacSHA256AndAES_256 + +# The iteration count used by the PBE algorithm when encrypting a certificate. +# This value must be a positive integer. The default value is 10000. +#keystore.pkcs12.certPbeIterationCount = 10000 + +# The algorithm used to encrypt a private key or secret key. This can be +# any non-Hmac PBE algorithm defined in the Cipher section of the Java +# Security Standard Algorithm Names Specification. The value must not be "NONE". +# The default value is "PBEWithHmacSHA256AndAES_256". +#keystore.pkcs12.keyProtectionAlgorithm = PBEWithHmacSHA256AndAES_256 + +# The iteration count used by the PBE algorithm when encrypting a private key +# or a secret key. This value must be a positive integer. The default value +# is 10000. +#keystore.pkcs12.keyPbeIterationCount = 10000 + +# The algorithm used to calculate the optional MacData at the end of a PKCS12 +# file. This can be any HmacPBE algorithm defined in the Mac section of the +# Java Security Standard Algorithm Names Specification. When set to "NONE", +# no Mac is generated. The default value is "HmacPBESHA1". +#keystore.pkcs12.macAlgorithm = HmacPBESHA1 + +# The iteration count used by the MacData algorithm. This value must be a +# positive integer. The default value is 100000. +#keystore.pkcs12.macIterationCount = 100000 + # # Enhanced exception message information # @@ -1257,7 +1330,6 @@ jdk.io.permissionsUseCanonicalPath=false # #jdk.security.allowNonCaAnchor=true -# # JNDI Object Factories Filter # # This filter is used by the JNDI runtime to control the set of object factory classes @@ -1279,3 +1351,13 @@ jdk.io.permissionsUseCanonicalPath=false # The default pattern value allows any object factory class specified by the reference # instance to recreate the referenced object. #jdk.jndi.object.factoriesFilter=* + +# +# The default Character set name (java.nio.charset.Charset.forName()) +# for converting TLS ALPN values between byte arrays and Strings. +# Prior versions of the JDK may use UTF-8 as the default charset. If +# you experience interoperability issues, setting this property to UTF-8 +# may help. +# +# jdk.tls.alpnCharset=UTF-8 +jdk.tls.alpnCharset=ISO_8859_1 diff --git a/java-8-openjdk/security/java.security b/java-8-openjdk/security/java.security index 4d9ef23..1d19339 100644 --- a/java-8-openjdk/security/java.security +++ b/java-8-openjdk/security/java.security @@ -1199,6 +1199,16 @@ jdk.security.caDistrustPolicies=SYMANTEC_TLS # #jdk.security.allowNonCaAnchor=true +# +# The default Character set name (java.nio.charset.Charset.forName()) +# for converting TLS ALPN values between byte arrays and Strings. +# Prior versions of the JDK may use UTF-8 as the default charset. If +# you experience interoperability issues, setting this property to UTF-8 +# may help. +# +# jdk.tls.alpnCharset=UTF-8 +jdk.tls.alpnCharset=ISO_8859_1 + # # JNDI Object Factories Filter # -- 2.39.5