java8-291之后 , 禁用了tls1.1 , 使jdbc无法用ssl连接sqlserver2008怎么办,以下是解决办法修改java.security文件1.找到jre的java.security文件如果是jre , 在 {java_home} / jre / lib / security中, 比如
c:\program files\java\jre1.8.0_301\lib\security
如果是eclipse绿色免安装便携版
在安装文件夹搜索java.security ,比如
xxx\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_16.0.1.v20210528-1205\jre\conf\security
如果是window下的安装版eclipse
文件在c:/用户文件夹/.p2/pool/plugins/…中, 例如
c:\users\admin\.p2\pool\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_16.0.2.v20210721-1149\jre\conf\security
如果在c盘搜索java.security,可能搜出两个以上,temp文件夹中也有
2.打开java.security并搜索 “jdk.tls.disabledalgorithms=”jdk.tls.disabledalgorithms=
可找到
# example:# jdk.tls.disabledalgorithms=md5, sslv3, dsa, rsa keysize < 2048, \# rsa_pkcs1_sha1, secp224r1jdk.tls.disabledalgorithms=sslv3, tlsv1, tlsv1.1, rc4, des, md5withrsa, \ dh keysize < 1024, ec keysize < 224, 3des_ede_cbc, anon, null
3.删掉tlsv1, tlsv1.1,删掉后变为
# example:# jdk.tls.disabledalgorithms=md5, sslv3, dsa, rsa keysize < 2048, \# rsa_pkcs1_sha1, secp224r1jdk.tls.disabledalgorithms=sslv3, rc4, des, md5withrsa, \ dh keysize < 1024, ec keysize < 224, 3des_ede_cbc, anon, null
4.保存,可以了修改后的样例,jre8可直接复制
已测试通过
#
# this is the master security properties file.
#
# an alternate java.security properties file may be specified
# from the command line via the system property
#
# -djava.security.properties=258c40d94d8689854ad79c4076dd5f96
#
# this properties file appends to the master security properties file.
# if both properties files specify values for the same key, the value
# from the command-line properties file is selected, as it is the last
# one loaded.
#
# also, if you specify
#
# -djava.security.properties==258c40d94d8689854ad79c4076dd5f96 (2 equals),
#
# then that properties file completely overrides the master security
# properties file.
#
# to disable the ability to specify an additional properties file from
# the command line, set the key security.overridepropertiesfile
# to false in the master security properties file. it is set to true
# by default.
# in this file, various security properties are set for use by
# java.security classes. this is where users can statically register
# cryptography package providers (providers for short). the term
# provider refers to a package or set of packages that supply a
# concrete implementation of a subset of the cryptography aspects of
# the java security api. a provider may, for example, implement one or
# more digital signature algorithms or message digest algorithms.
#
# each provider must implement a subclass of the provider class.
# to register a provider in this master security properties file,
# specify the provider and priority in the format
#
# security.provider.751fecf49c9d13ca89ee2cbb9b75d4f6=83011063ba637dec2d17f2793048d981
#
# this declares a provider, and specifies its preference
# order n. the preference order is the order in which providers are
# searched for requested algorithms (when no specific provider is
# requested). the order is 1-based; 1 is the most preferred, followed
# by 2, and so on.
#
# f6d82d0cd629b837b773f82e9adb9ab3 must specify the name of the provider as passed to its super
# class java.security.provider constructor. this is for providers loaded
# through the serviceloader mechanism.
#
# ba8676586cb33c74c61ba2c0b1d97e34 must specify the subclass of the provider class whose
# constructor sets the values of various properties that are required
# for the java security api to look up the algorithms or other
# facilities implemented by the provider. this is for providers loaded
# through classpath.
#
# note: providers can be dynamically registered instead by calls to
# either the addprovider or insertproviderat method in the security
# class.
#
# list of providers and their preference orders (see above):
#
security.provider.1=sun
security.provider.2=sunrsasign
security.provider.3=sunec
security.provider.4=sunjsse
security.provider.5=sunjce
security.provider.6=sunjgss
security.provider.7=sunsasl
security.provider.8=xmldsig
security.provider.9=sunpcsc
security.provider.10=jdkldap
security.provider.11=jdksasl
security.provider.12=sunmscapi
security.provider.13=sunpkcs11
#
# a list of preferred providers for specific algorithms. these providers will
# be searched for matching algorithms before the list of registered providers.
# entries containing errors (parsing, etc) will be ignored. use the
# -djava.security.debug=jca property to debug these errors.
#
# the property is a comma-separated list of servicetype.algorithm:provider
# entries. the servicetype (example: messagedigest) is optional, and if
# not specified, the algorithm applies to all service types that support it.
# the algorithm is the standard algorithm name or transformation.
# transformations can be specified in their full standard name
# (ex: aes/cbc/pkcs5padding), or as partial matches (ex: aes, aes/cbc).
# the provider is the name of the provider. any provider that does not
# also appear in the registered list will be ignored.
#
# there is a special servicetype for this property only to group a set of
# algorithms together. the type is group and is followed by an algorithm
# keyword. groups are to simplify and lessen the entries on the property
# line. current groups are:
# group.sha2 = sha-224, sha-256, sha-384, sha-512, sha-512/224, sha-512/256
# group.hmacsha2 = hmacsha224, hmacsha256, hmacsha384, hmacsha512
# group.sha2rsa = sha224withrsa, sha256withrsa, sha384withrsa, sha512withrsa
# group.sha2dsa = sha224withdsa, sha256withdsa, sha384withdsa, sha512withdsa
# group.sha2ecdsa = sha224withecdsa, sha256withecdsa, sha384withecdsa, \
# sha512withecdsa
# group.sha3 = sha3-224, sha3-256, sha3-384, sha3-512
# group.hmacsha3 = hmacsha3-224, hmacsha3-256, hmacsha3-384, hmacsha3-512
#
# example:
# jdk.security.provider.preferred=aes/gcm/nopadding:sunjce, \
# messagedigest.sha-256:sun, group.hmacsha2:sunjce
#
#jdk.security.provider.preferred=
#
# sun provider securerandom seed source.
#
# select the primary source of seed data for the nativeprng, sha1prng
# and drbg securerandom implementations in the sun provider.
# (other securerandom implementations might also use this property.)
#
# on unix-like systems (for example, linux/macos), the
# nativeprng, sha1prng and drbg implementations obtains seed data from
# special device files such as file:/dev/random.
#
# on windows systems, specifying the urls file:/dev/random or
# file:/dev/urandom will enable the native microsoft cryptoapi seeding
# mechanism for sha1prng and drbg.
#
# by default, an attempt is made to use the entropy gathering device
# specified by the securerandom.source security property. if an
# exception occurs while accessing the specified url:
#
# nativeprng:
# a default value of /dev/random will be used. if neither
# are available, the implementation will be disabled.
# file is the only currently supported protocol type.
#
# sha1prng and drbg:
# the traditional system/thread activity algorithm will be used.
#
# the entropy gathering device can also be specified with the system
# property java.security.egd. for example:
#
# % java -djava.security.egd=file:/dev/random mainclass
#
# specifying this system property will override the
# securerandom.source security property.
#
# in addition, if file:/dev/random or file:/dev/urandom is
# specified, the nativeprng implementation will be more preferred than
# drbg and sha1prng in the sun provider.
#
securerandom.source=file:/dev/random
#
# a list of known strong securerandom implementations.
#
# to help guide applications in selecting a suitable strong
# java.security.securerandom implementation, java distributions should
# indicate a list of known strong implementations using the property.
#
# this is a comma-separated list of algorithm and/or algorithm:provider
# entries.
#
securerandom.strongalgorithms=windows-prng:sunmscapi,drbg:sun
#
# sun provider drbg configuration and default instantiation request.
#
# nist sp 800-90ar1 lists several drbg mechanisms. each can be configured
# with a drbg algorithm name, and can be instantiated with a security strength,
# prediction resistance support, etc. this property defines the configuration
# and the default instantiation request of drbg securerandom implementations
# in the sun provider. (other drbg implementations can also use this property.)
# applications can request different instantiation parameters like security
# strength, capability, personalization string using one of the
# getinstance(...,securerandomparameters,...) methods with a
# drbgparameters.instantiation argument, but other settings such as the
# mechanism and drbg algorithm names are not currently configurable by any api.
#
# please note that the sun implementation of drbg always supports reseeding.
#
# the value of this property is a comma-separated list of all configurable
# aspects. the aspects can appear in any order but the same aspect can only
# appear at most once. its bnf-style definition is:
#
# value:
# aspect { , aspect }
#
# aspect:
# mech_name | algorithm_name | strength | capability | df
#
# // the drbg mechanism to use. default hash_drbg
# mech_name:
# hash_drbg | hmac_drbg | ctr_drbg
#
# // the drbg algorithm name. the sha-*** names are for hash_drbg and
# // hmac_drbg, default sha-256. the aes-*** names are for ctr_drbg,
# // default aes-128 when using the limited cryptographic or aes-256
# // when using the unlimited.
# algorithm_name:
# sha-224 | sha-512/224 | sha-256 |
# sha-512/256 | sha-384 | sha-512 |
# aes-128 | aes-192 | aes-256
#
# // security strength requested. default 128
# strength:
# 112 | 128 | 192 | 256
#
# // prediction resistance and reseeding request. default none
# // pr_and_reseed - both prediction resistance and reseeding
# // support requested
# // reseed_only - only reseeding support requested
# // none - neither prediction resistance not reseeding
# // support requested
# pr:
# pr_and_reseed | reseed_only | none
#
# // whether a derivation function should be used. only applicable
# // to ctr_drbg. default use_df
# df:
# use_df | no_df
#
# examples,
# securerandom.drbg.config=hash_drbg,sha-224,112,none
# securerandom.drbg.config=ctr_drbg,aes-256,192,pr_and_reseed,use_df
#
# the default value is an empty string, which is equivalent to
# securerandom.drbg.config=hash_drbg,sha-256,128,none
#
securerandom.drbg.config=
#
# class to instantiate as the javax.security.auth.login.configuration
# provider.
#
login.configuration.provider=sun.security.provider.configfile
#
# default login configuration file
#
#login.config.url.1=file:${user.home}/.java.login.config
#
# class to instantiate as the system policy. this is the name of the class
# that will be used as the policy object. the system class loader is used to
# locate this class.
#
policy.provider=sun.security.provider.policyfile
# the default is to have a single system-wide policy file,
# and a policy file in the user's home directory.
#
policy.url.1=file:${java.home}/conf/security/java.policy
policy.url.2=file:${user.home}/.java.policy
# controls whether or not properties are expanded in policy and login
# configuration files. if set to false, properties (${...}) will not
# be expanded in policy and login configuration files. if commented out or
# set to an empty string, the default value is false for policy files and
# true for login configuration files.
#
policy.expandproperties=true
# controls whether or not an extra policy or login configuration file is
# allowed to be passed on the command line with -djava.security.policy=somefile
# or -djava.security.auth.login.config=somefile. if commented out or set to
# an empty string, the default value is false.
#
policy.allowsystemproperty=true
# whether or not we look into the identityscope for trusted identities
# when encountering a 1.1 signed jar file. if the identity is found
# and is trusted, we grant it allpermission. note: the default policy
# provider (sun.security.provider.policyfile) does not support this property.
#
policy.ignoreidentityscope=false
#
# default keystore type.
#
keystore.type=pkcs12
#
# controls compatibility mode for jks and pkcs12 keystore types.
#
# when set to 'true', both jks and pkcs12 keystore types support loading
# keystore files in either jks or pkcs12 format. when set to 'false' the
# jks keystore type supports loading only jks keystore files and the pkcs12
# keystore type supports loading only pkcs12 keystore files.
#
keystore.type.compat=true
#
# list of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when passed to the
# securitymanager::checkpackageaccess method unless the corresponding
# runtimepermission(accessclassinpackage.+package) has been granted.
#
package.access=sun.misc.,\
sun.reflect.
#
# list of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when passed to the
# securitymanager::checkpackagedefinition method unless the corresponding
# runtimepermission(defineclassinpackage.+package) has been granted.
#
# by default, none of the class loaders supplied with the jdk call
# checkpackagedefinition.
#
package.definition=sun.misc.,\
sun.reflect.
#
# determines whether this properties file can be appended to
# or overridden on the command line via -djava.security.properties
#
security.overridepropertiesfile=true
#
# determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
ssl.keymanagerfactory.algorithm=sunx509
ssl.trustmanagerfactory.algorithm=pkix
#
# the java-level namelookup cache policy for successful lookups:
#
# any negative value: caching forever
# any positive value: the number of seconds to cache an address for
# zero: do not cache
#
# default value is forever (forever). for security reasons, this
# caching is made forever when a security manager is set. when a security
# manager is not set, the default behavior in this implementation
# is to cache for 30 seconds.
#
# note: setting this to anything other than the default value can have
# serious security implications. do not set it unless
# you are sure you are not exposed to dns spoofing attack.
#
#networkaddress.cache.ttl=-1
# the java-level namelookup cache policy for failed lookups:
#
# any negative value: cache forever
# any positive value: the number of seconds to cache negative lookup results
# zero: do not cache
#
# in some microsoft windows networking environments that employ
# the wins name service in addition to dns, name service lookups
# that fail may take a noticeably long time to return (approx. 5 seconds).
# for this reason the default caching policy is to maintain these
# results for 10 seconds.
#
networkaddress.cache.negative.ttl=10
#
# properties to configure ocsp for certificate revocation checking
#
# enable ocsp
#
# by default, ocsp is not used for certificate revocation checking.
# this property enables the use of ocsp when set to the value true.
#
# note: socketpermission is required to connect to an ocsp responder.
#
# example,
# ocsp.enable=true
#
# location of the ocsp responder
#
# by default, the location of the ocsp responder is determined implicitly
# from the certificate being validated. this property explicitly specifies
# the location of the ocsp responder. the property is used when the
# authority information access extension (defined in rfc 5280) is absent
# from the certificate or when it requires overriding.
#
# example,
# ocsp.responderurl=http://ocsp.example.net:80
#
# subject name of the ocsp responder's certificate
#
# by default, the certificate of the ocsp responder is that of the issuer
# of the certificate being validated. this property identifies the certificate
# of the ocsp responder when the default does not apply. its value is a string
# distinguished name (defined in rfc 2253) which identifies a certificate in
# the set of certificates supplied during cert path validation. in cases where
# the subject name alone is not sufficient to uniquely identify the certificate
# then both the ocsp.respondercertissuername and
# ocsp.respondercertserialnumber properties must be used instead. when this
# property is set then those two properties are ignored.
#
# example,
# ocsp.respondercertsubjectname=cn=ocsp responder, o=xyz corp
#
# issuer name of the ocsp responder's certificate
#
# by default, the certificate of the ocsp responder is that of the issuer
# of the certificate being validated. this property identifies the certificate
# of the ocsp responder when the default does not apply. its value is a string
# distinguished name (defined in rfc 2253) which identifies a certificate in
# the set of certificates supplied during cert path validation. when this
# property is set then the ocsp.respondercertserialnumber property must also
# be set. when the ocsp.respondercertsubjectname property is set then this
# property is ignored.
#
# example,
# ocsp.respondercertissuername=cn=enterprise ca, o=xyz corp
#
# serial number of the ocsp responder's certificate
#
# by default, the certificate of the ocsp responder is that of the issuer
# of the certificate being validated. this property identifies the certificate
# of the ocsp responder when the default does not apply. its value is a string
# of hexadecimal digits (colon or space separators may be present) which
# identifies a certificate in the set of certificates supplied during cert path
# validation. when this property is set then the ocsp.respondercertissuername
# property must also be set. when the ocsp.respondercertsubjectname property
# is set then this property is ignored.
#
# example,
# ocsp.respondercertserialnumber=2a:ff:00
#
# policy for failed kerberos kdc lookups:
#
# when a kdc is unavailable (network error, service failure, etc), it is
# put inside a blacklist and accessed less often for future requests. the
# value (case-insensitive) for this policy can be:
#
# trylast
# kdcs in the blacklist are always tried after those not on the list.
#
# tryless[:max_retries,timeout]
# kdcs in the blacklist are still tried by their order in the configuration,
# but with smaller max_retries and timeout values. max_retries and timeout
# are optional numerical parameters (default 1 and 5000, which means once
# and 5 seconds). please notes that if any of the values defined here is
# more than what is defined in krb5.conf, it will be ignored.
#
# whenever a kdc is detected as available, it is removed from the blacklist.
# the blacklist is reset when krb5.conf is reloaded. you can add
# refreshkrb5config=true to a jaas configuration file so that krb5.conf is
# reloaded whenever a jaas authentication is attempted.
#
# example,
# krb5.kdc.bad.policy = trylast
# krb5.kdc.bad.policy = tryless:2,2000
#
krb5.kdc.bad.policy = trylast
#
# kerberos cross-realm referrals (rfc 6806)
#
# openjdk's kerberos client supports cross-realm referrals as defined in
# rfc 6806. this allows to setup more dynamic environments in which clients
# do not need to know in advance how to reach the realm of a target principal
# (either a user or service).
#
# when a client issues an as or a tgs request, the canonicalize option
# is set to announce support of this feature. a kdc server may fulfill the
# request or reply referring the client to a different one. if referred,
# the client will issue a new request and the cycle repeats.
#
# in addition to referrals, the canonicalize option allows the kdc server
# to change the client name in response to an as request. for security reasons,
# rfc 6806 (section 11) fast scheme is enforced.
#
# disable kerberos cross-realm referrals. value may be overwritten with a
# system property (-dsun.security.krb5.disablereferrals).
sun.security.krb5.disablereferrals=false
# maximum number of as or tgs referrals to avoid infinite loops. value may
# be overwritten with a system property (-dsun.security.krb5.maxreferrals).
sun.security.krb5.maxreferrals=5
#
# this property contains a list of disabled ec named curves that can be included
# in the jdk.[tls|certpath|jar].disabledalgorithms properties. to include this
# list in any of the disabledalgorithms properties, add the property name as
# an entry.
#jdk.disabled.namedcurves=
#
# algorithm restrictions for certification path (certpath) processing
#
# in some environments, certain algorithms or key lengths may be undesirable
# for certification path building and validation. for example, md2 is
# generally no longer considered to be a secure hash algorithm. this section
# describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. this includes algorithms used in certificates, as well
# as revocation information such as crls and signed ocsp responses.
# the syntax of the disabled algorithm string is described as follows:
# disabledalgorithms:
# disabledalgorithm { , disabledalgorithm }
#
# disabledalgorithm:
# algorithmname [constraint] { '&' constraint } | includeproperty
#
# algorithmname:
# (see below)
#
# constraint:
# keysizeconstraint | caconstraint | denyafterconstraint |
# usageconstraint
#
# keysizeconstraint:
# keysize operator keylength
#
# operator:
# b1c9ed4f687c0238205d15575a6578ff= | >
#
# keylength:
# integer value of the algorithm's key length in bits
#
# caconstraint:
# jdkca
#
# denyafterconstraint:
# denyafter yyyy-mm-dd
#
# usageconstraint:
# usage [tlsserver] [tlsclient] [signedjar]
#
# includeproperty:
# include a156e5fabe8bc64803b269b34a370726
#
# the algorithmname is the standard algorithm name of the disabled
# algorithm. see the java security standard algorithm names specification
# for information about standard algorithm names. matching is
# performed using a case-insensitive sub-element matching rule. (for
# example, in sha1withecdsa the sub-elements are sha1 for hashing and
# ecdsa for signatures.) if the assertion algorithmname is a
# sub-element of the certificate algorithm name, the algorithm will be
# rejected during certification path building and validation. for example,
# the assertion algorithm name dsa will disable all certificate algorithms
# that rely on dsa, such as nonewithdsa, sha1withdsa. however, the assertion
# will not disable algorithms related to ecdsa.
#
# the includeproperty allows a implementation-defined security property that
# can be included in the disabledalgorithms properties. these properties are
# to help manage common actions easier across multiple disabledalgorithm
# properties.
# there is one defined security property: jdk.disabled.namedcurves
# see the property for more specific details.
#
#
# a constraint defines restrictions on the keys and/or certificates for
# a specified algorithmname:
#
# keysizeconstraint:
# keysize operator keylength
# the constraint requires a key of a valid size range if the
# algorithmname is of a key algorithm. the keylength indicates
# the key size specified in number of bits. for example,
# rsa keysize 2ff5ff3f8a679d22147c5b130d065d3e 2048 indicates that any rsa key
# with key size less than 1024 or greater than 2048 should be disabled.
# this constraint is only used on algorithms that have a key size.
#
# caconstraint:
# jdkca
# this constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
# trust anchor in the lib/security/cacerts keystore. if the jdkca
# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkca may only be used once in a disabledalgorithm
# expression.
# example: to apply this constraint to sha-1 certificates, include
# the following: sha1 jdkca
#
# denyafterconstraint:
# denyafter yyyy-mm-dd
# this constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
# validity. jar files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
# will not be restricted. the date is processed in the utc timezone.
# this constraint can only be used once in a disabledalgorithm
# expression.
# example: to deny usage of rsa 2048 bit certificates after feb 3 2020,
# use the following: rsa keysize == 2048 & denyafter 2020-02-03
#
# usageconstraint:
# usage [tlsserver] [tlsclient] [signedjar]
# this constraint prohibits the specified algorithm for
# a specified usage. this should be used when disabling an algorithm
# for all usages is not practical. 'tlsserver' restricts the algorithm
# in tls server certificate chains when server authentication is
# performed. 'tlsclient' restricts the algorithm in tls client
# certificate chains when client authentication is performed.
# 'signedjar' constrains use of certificates in signed jar files.
# the usage type follows the keyword and more than one usage type can
# be specified with a whitespace delimiter.
# example: sha1 usage tlsserver tlsclient
#
# when an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. for example, to restrict certificates in a
# chain that terminate at a distribution provided trust anchor and contain
# rsa keys that are less than or equal to 1024 bits, add the following
# constraint: rsa keysize <= 1024 & jdkca.
#
# all disabledalgorithms expressions are processed in the order defined in the
# property. this requires lower keysize constraints to be specified
# before larger keysize constraints of the same algorithm. for example:
# rsa keysize < 1024 & jdkca, rsa keysize < 2048.
#
# note: the algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# note: this property is currently used by oracle's pkix implementation. it
# is not guaranteed to be examined and used by other implementations.
#
# example:
# jdk.certpath.disabledalgorithms=md2, dsa, rsa keysize < 2048
#
#
jdk.certpath.disabledalgorithms=md2, md5, sha1 jdkca & usage tlsserver, \
rsa keysize < 1024, dsa keysize < 1024, ec keysize < 224
#
# legacy algorithms for certification path (certpath) processing and
# signed jar files.
#
# in some environments, a certain algorithm or key length may be undesirable
# but is not yet disabled.
#
# tools such as keytool and jarsigner may emit warnings when these legacy
# algorithms are used. see the man pages for those tools for more information.
#
# the syntax is the same as the jdk.certpath.disabledalgorithms and
# jdk.jar.disabledalgorithms security properties.
#
# note: this property is currently used by the jdk reference
# implementation. it is not guaranteed to be examined and used by other
# implementations.
jdk.security.legacyalgorithms=sha1, \
rsa keysize < 2048, dsa keysize
#
# keylength:
# integer value of the algorithm's key length in bits
#
# note: this property is currently used by the jdk reference
# implementation. it is not guaranteed to be examined and used by other
# implementations.
#
# see jdk.certpath.disabledalgorithms for syntax descriptions.
#
jdk.jar.disabledalgorithms=md2, md5, rsa keysize da95ef0300f5c2ecdeb92c6d615c4c1a/conf/security/policy/ which can be customized.
# please see the 63b3ee7e72479f6360d4c7e4b3af780a/conf/security/policy/readme.txt file or consult
# the java security guide/jca documentation for more information.
#
# you are advised to consult your export/import control counsel or attorney
# to determine the exact requirements.
#
# [1] please note that the jce for java se, including the jce framework,
# cryptographic policy files, and standard jce providers provided with
# the java se, have been reviewed and approved for export as mass market
# encryption item by the us bureau of industry and security.
#
# note: this property is currently used by the jdk reference implementation.
# it is not guaranteed to be examined and used by other implementations.
#
crypto.policy=unlimited
#
# the policy for the xml signature secure validation mode. the mode is
# enabled by setting the property org.jcp.xml.dsig.securevalidation to
# true with the javax.xml.crypto.xmlcryptocontext.setproperty() method,
# or by running the code with a securitymanager.
#
# policy:
# constraint {, constraint }
# constraint:
# algconstraint | maxtransformsconstraint | maxreferencesconstraint |
# referenceurischemeconstraint | keysizeconstraint | otherconstraint
# algconstraint
# disallowalg uri
# maxtransformsconstraint:
# maxtransforms integer
# maxreferencesconstraint:
# maxreferences integer
# referenceurischemeconstraint:
# disallowreferenceurischemes string { string }
# keysizeconstraint:
# minkeysize keyalg integer
# otherconstraint:
# noduplicateids | noretrievalmethodloops
#
# for algconstraint, uri is the algorithm uri string that is not allowed.
# see the xml signature recommendation for more information on algorithm
# uri identifiers. for keysizeconstraint, keyalg is the standard algorithm
# name of the key type (ex: rsa). if the maxtransformsconstraint,
# maxreferencesconstraint or keysizeconstraint (for the same key type) is
# specified more than once, only the last entry is enforced.
#
# note: this property is currently used by the jdk reference implementation. it
# is not guaranteed to be examined and used by other implementations.
#
jdk.xml.dsig.securevalidationpolicy=\
disallowalg http://www.w3.org/tr/1999/rec-xslt-19991116,\
disallowalg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
disallowalg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
disallowalg http://www.w3.org/2001/04/xmldsig-more#md5,\
maxtransforms 5,\
maxreferences 30,\
disallowreferenceurischemes file http https,\
minkeysize rsa 1024,\
minkeysize dsa 1024,\
minkeysize ec 224,\
noduplicateids,\
noretrievalmethodloops
#
# serialization system-wide filter
#
# a filter, if configured, is used by java.io.objectinputstream during
# deserialization to check the contents of the stream.
# a filter is configured as a sequence of patterns, each pattern is either
# matched against the name of a class in the stream or defines a limit.
# patterns are separated by ; (semicolon).
# whitespace is significant and is considered part of the pattern.
#
# if the system property jdk.serialfilter is also specified, it supersedes
# the security property value defined here.
#
# if a pattern includes a =, it sets a limit.
# if a limit appears more than once the last value is used.
# limits are checked before classes regardless of the order in the
# sequence of patterns.
# if any of the limits are exceeded, the filter status is rejected.
#
# maxdepth=value - the maximum depth of a graph
# maxrefs=value - the maximum number of internal references
# maxbytes=value - the maximum number of bytes in the input stream
# maxarray=value - the maximum array length allowed
#
# other patterns, from left to right, match the class or package name as
# returned from class.getname.
# if the class is an array type, the class or package to be matched is the
# element type.
# arrays of any number of dimensions are treated the same as the element type.
# for example, a pattern of !example.foo, rejects creation of any instance or
# array of example.foo.
#
# if the pattern starts with !, the status is rejected if the remaining
# pattern is matched; otherwise the status is allowed if the pattern matches.
# if the pattern contains /, the non-empty prefix up to the / is the
# module name;
# if the module name matches the module name of the class then
# the remaining pattern is matched with the class name.
# if there is no /, the module name is not compared.
# if the pattern ends with .** it matches any class in the package and all
# subpackages.
# if the pattern ends with .* it matches any class in the package.
# if the pattern ends with *, it matches any class with the pattern as a
# prefix.
# if the pattern is equal to the class name, it matches.
# otherwise, the status is undecided.
#
#jdk.serialfilter=pattern;pattern
#
# rmi registry serial filter
#
# the filter pattern uses the same format as jdk.serialfilter.
# this filter can override the builtin filter if additional types need to be
# allowed or rejected from the rmi registry or to decrease limits but not
# to increase limits.
# if the limits (maxdepth, maxrefs, or maxbytes) are exceeded, the object is rejected.
#
# each non-array type is allowed or rejected if it matches one of the patterns,
# evaluated from left to right, and is otherwise allowed. arrays of any
# component type, including subarrays and arrays of primitives, are allowed.
#
# array construction of any component type, including subarrays and arrays of
# primitives, are allowed unless the length is greater than the maxarray limit.
# the filter is applied to each array element.
#
# note: this property is currently used by the jdk reference implementation.
# it is not guaranteed to be examined and used by other implementations.
#
# the built-in filter allows subclasses of allowed classes and
# can approximately be represented as the pattern:
#
#sun.rmi.registry.registryfilter=\
# maxarray=1000000;\
# maxdepth=20;\
# java.lang.string;\
# java.lang.number;\
# java.lang.reflect.proxy;\
# java.rmi.remote;\
# sun.rmi.server.unicastref;\
# sun.rmi.server.rmiclientsocketfactory;\
# sun.rmi.server.rmiserversocketfactory;\
# java.rmi.activation.activationid;\
# java.rmi.server.uid
#
# rmi distributed garbage collector (dgc) serial filter
#
# the filter pattern uses the same format as jdk.serialfilter.
# this filter can override the builtin filter if additional types need to be
# allowed or rejected from the rmi dgc.
#
# note: this property is currently used by the jdk reference implementation.
# it is not guaranteed to be examined and used by other implementations.
#
# the builtin dgc filter can approximately be represented as the filter pattern:
#
#sun.rmi.transport.dgcfilter=\
# java.rmi.server.objid;\
# java.rmi.server.uid;\
# java.rmi.dgc.vmid;\
# java.rmi.dgc.lease;\
# maxdepth=5;maxarray=10000
#
# jceks encrypted key serial filter
#
# this filter, if configured, is used by the jceks keystore during the
# deserialization of the encrypted key object stored inside a key entry.
# if not configured or the filter result is undecided (i.e. none of the patterns
# matches), the filter configured by jdk.serialfilter will be consulted.
#
# if the system property jceks.key.serialfilter is also specified, it supersedes
# the security property value defined here.
#
# the filter pattern uses the same format as jdk.serialfilter. the default
# pattern allows java.lang.enum, java.security.keyrep, java.security.keyrep$type,
# and javax.crypto.spec.secretkeyspec and rejects all the others.
jceks.key.serialfilter = java.base/java.lang.enum;java.base/java.security.keyrep;\
java.base/java.security.keyrep$type;java.base/javax.crypto.spec.secretkeyspec;!*
# the iteration count used for password-based encryption (pbe) in jceks
# keystores. values in the range 10000 to 5000000 are considered valid.
# if the value is out of this range, or is not a number, or is unspecified;
# a default of 200000 is used.
#
# if the system property jdk.jceks.iterationcount is also specified, it
# supersedes the security property value defined here.
#
#jdk.jceks.iterationcount = 200000
#
# pkcs12 keystore properties
#
# the following properties, if configured, are used by the pkcs12 keystore
# implementation during the creation of a new keystore. several of the
# properties may also be used when modifying an existing keystore. the
# properties can be overridden by a keystore api that specifies its own
# algorithms and parameters.
#
# if an existing pkcs12 keystore is loaded and then stored, the algorithm and
# parameter used to generate the existing mac will be reused. if the existing
# keystore does not have a mac, no mac will be created while storing. if there
# is at least one certificate in the existing keystore, the algorithm and
# parameters used to encrypt the last certificate in the existing keystore will
# be reused to encrypt all certificates while storing. if the last certificate
# in the existing keystore is not encrypted, all certificates will be stored
# unencrypted. if there is no certificate in the existing keystore, any newly
# added certificate will be encrypted (or stored unencrypted if algorithm
# value is none) using the keystore.pkcs12.certprotectionalgorithm and
# keystore.pkcs12.certpbeiterationcount values defined here. existing private
# and secret key(s) are not changed. newly set private and secret key(s) will
# be encrypted using the keystore.pkcs12.keyprotectionalgorithm and
# keystore.pkcs12.keypbeiterationcount values defined here.
#
# in order to apply new algorithms and parameters to all entries in an
# existing keystore, one can create a new keystore and add entries in the
# existing keystore into the new keystore. this can be achieved by calling the
# keytool -importkeystore command.
#
# if a system property of the same name is also specified, it supersedes the
# security property value defined here.
#
# if the property is set to an illegal value,
# an iteration count that is not a positive integer, or an unknown algorithm
# name, an exception will be thrown when the property is used.
# if the property is not set or empty, a default value will be used.
#
# note: these properties are currently used by the jdk reference implementation.
# they are not guaranteed to be examined and used by other implementations.
# the algorithm used to encrypt a certificate. this can be any non-hmac pbe
# algorithm defined in the cipher section of the java security standard
# algorithm names specification. when set to none, the certificate
# is not encrypted. the default value is pbewithhmacsha256andaes_256.
#keystore.pkcs12.certprotectionalgorithm = pbewithhmacsha256andaes_256
# the iteration count used by the pbe algorithm when encrypting a certificate.
# this value must be a positive integer. the default value is 10000.
#keystore.pkcs12.certpbeiterationcount = 10000
# the algorithm used to encrypt a private key or secret key. this can be
# any non-hmac pbe algorithm defined in the cipher section of the java
# security standard algorithm names specification. the value must not be none.
# the default value is pbewithhmacsha256andaes_256.
#keystore.pkcs12.keyprotectionalgorithm = pbewithhmacsha256andaes_256
# the iteration count used by the pbe algorithm when encrypting a private key
# or a secret key. this value must be a positive integer. the default value
# is 10000.
#keystore.pkcs12.keypbeiterationcount = 10000
# the algorithm used to calculate the optional macdata at the end of a pkcs12
# file. this can be any hmacpbe algorithm defined in the mac section of the
# java security standard algorithm names specification. when set to none,
# no mac is generated. the default value is hmacpbesha256.
#keystore.pkcs12.macalgorithm = hmacpbesha256
# the iteration count used by the macdata algorithm. this value must be a
# positive integer. the default value is 10000.
#keystore.pkcs12.maciterationcount = 10000
#
# enhanced exception message information
#
# by default, exception messages should not include potentially sensitive
# information such as file names, host names, or port numbers. this property
# accepts one or more comma separated values, each of which represents a
# category of enhanced exception message information to enable. values are
# case-insensitive. leading and trailing whitespaces, surrounding each value,
# are ignored. unknown values are ignored.
#
# note: use caution before setting this property. setting this property
# exposes sensitive information in exceptions, which could, for example,
# propagate to untrusted code or be emitted in stack traces that are
# inadvertently disclosed and made accessible over a public network.
#
# the categories are:
#
# hostinfo - ioexceptions thrown by java.net.socket and the socket types in the
# java.nio.channels package will contain enhanced exception
# message information
#
# jar - enables more detailed information in the ioexceptions thrown
# by classes in the java.util.jar package
#
# the property setting in this file can be overridden by a system property of
# the same name, with the same syntax and possible values.
#
#jdk.includeinexceptions=hostinfo,jar
#
# disabled mechanisms for the simple authentication and security layer (sasl)
#
# disabled mechanisms will not be negotiated by both sasl clients and servers.
# these mechanisms will be ignored if they are specified in the mechanisms
# argument of sasl.createsaslclient or the mechanism argument of
# sasl.createsaslserver.
#
# the value of this property is a comma-separated list of sasl mechanisms.
# the mechanisms are case-sensitive. whitespaces around the commas are ignored.
#
# note: this property is currently used by the jdk reference implementation.
# it is not guaranteed to be examined and used by other implementations.
#
# example:
# jdk.sasl.disabledmechanisms=plain, cram-md5, digest-md5
jdk.sasl.disabledmechanisms=
#
# policies for distrusting certificate authorities (cas).
#
# this is a comma separated value of one or more case-sensitive strings, each
# of which represents a policy for determining if a ca should be distrusted.
# the supported values are:
#
# symantec_tls : distrust tls server certificates anchored by a symantec
# root ca and issued after april 16, 2019 unless issued by one of the
# following subordinate cas which have a later distrust date:
# 1. apple ist ca 2 - g1, sha-256 fingerprint:
# ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b
# distrust after december 31, 2019.
# 2. apple ist ca 8 - g1, sha-256 fingerprint:
# a4fe7c7f15155f3f0aef7aaa83cf6e06deb97ca3f909df920ac1490882d488ed
# distrust after december 31, 2019.
#
# leading and trailing whitespace surrounding each value are ignored.
# unknown values are ignored. if the property is commented out or set to the
# empty string, no policies are enforced.
#
# note: this property is currently used by the jdk reference implementation.
# it is not guaranteed to be supported by other se implementations. also, this
# property does not override other security properties which can restrict
# certificates such as jdk.tls.disabledalgorithms or
# jdk.certpath.disabledalgorithms; those restrictions are still enforced even
# if this property is not enabled.
#
jdk.security.cadistrustpolicies=symantec_tls
#
# filepermission path canonicalization
#
# this security property dictates how the path argument is processed and stored
# while constructing a filepermission object. if the value is set to true, the
# path argument is canonicalized and filepermission methods (such as implies,
# equals, and hashcode) are implemented based on this canonicalized result.
# otherwise, the path argument is not canonicalized and filepermission methods are
# implemented based on the original input. see the implementation note of the
# filepermission class for more details.
#
# if a system property of the same name is also specified, it supersedes the
# security property value defined here.
#
# the default value for this property is false.
#
jdk.io.permissionsusecanonicalpath=false
#
# policies for the proxy_impersonator kerberos ccache configuration entry
#
# the proxy_impersonator ccache configuration entry indicates that the ccache
# is a synthetic delegated credential for use with s4u2proxy by an intermediate
# server. the ccache file should also contain the tgt of this server and
# an evidence ticket from the default principal of the ccache to this server.
#
# this security property determines how java uses this configuration entry.
# there are 3 possible values:
#
# no-impersonate - ignore this configuration entry, and always act as
# the owner of the tgt (if it exists).
#
# try-impersonate - try impersonation when this configuration entry exists.
# if no matching tgt or evidence ticket is found,
# fallback to no-impersonate.
#
# always-impersonate - always impersonate when this configuration entry exists.
# if no matching tgt or evidence ticket is found,
# no initial credential is read from the ccache.
#
# the default value is always-impersonate.
#
# if a system property of the same name is also specified, it supersedes the
# security property value defined here.
#
#jdk.security.krb5.default.initiate.credential=always-impersonate
#
# trust anchor certificates - ca basic constraint check
#
# x.509 v3 certificates used as trust anchors (to validate signed code or tls
# connections) must have the ca basic constraint field set to 'true'. also, if
# they include a key usage extension, the keycertsign bit must be set. these
# checks, enabled by default, can be disabled for backward-compatibility
# purposes with the jdk.security.allownoncaanchor system and security
# properties. in the case that both properties are simultaneously set, the
# system value prevails. the default value of the property is false.
#
#jdk.security.allownoncaanchor=true
#
# the default character set name (java.nio.charset.charset.forname())
# for converting tls alpn values between byte arrays and strings.
# prior versions of the jdk may use utf-8 as the default charset. if
# you experience interoperability issues, setting this property to utf-8
# may help.
#
# jdk.tls.alpncharset=utf-8
jdk.tls.alpncharset=iso_8859_1
#
# jndi object factories filter
#
# this filter is used by the jndi runtime to control the set of object factory classes
# which will be allowed to instantiate objects from object references returned by
# naming/directory systems. the factory class named by the reference instance will be
# matched against this filter. the filter property supports pattern-based filter syntax
# with the same format as jdk.serialfilter.
#
# each pattern is matched against the factory class name to allow or disallow it's
# instantiation. the access to a factory class is allowed unless the filter returns
# rejected.
#
# note: this property is currently used by the jdk reference implementation.
# it is not guaranteed to be examined and used by other implementations.
#
# if the system property jdk.jndi.object.factoriesfilter is also specified, it supersedes
# the security property value defined here. the default value of the property is *.
#
# the default pattern value allows any object factory class specified by the reference
# instance to recreate the referenced object.
#jdk.jndi.object.factoriesfilter=*
以上就是java8(291)之后禁用了tls1.1使jdbc无法用ssl连接sqlserver2008怎么解决的详细内容。