JDK-8170157 : Enable unlimited cryptographic policy by default in Oracle JDK builds
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 9
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2016-11-22
  • Updated: 2018-03-21
  • Resolved: 2016-12-06
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 JDK 8 JDK 9 Other
6u181Fixed 7u171Fixed 8u161Fixed 9 b148Fixed openjdk7uFixed
Related Reports
Blocks :  
Duplicate :  
Relates :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8170498 :  
JDK-8189377 :  
Oracle JDK/JRE has received approval to enable unlimited policy by default.

The plan is to set the default configure property to "enabled".  

For distributions that must continue to use limited crypto, they need to add the configure flag to their build:

    //   --disable-unlimited-crypto
    //                      Disable unlimited crypto policy [enabled]

    % sh configure --disable-unlimited-crypto
For JDK Update releases - I still plan to go with below policy. Keep in mind that 'crypto.policy' is not defined in Update releases and this aids compatibility around use of legacy jar files. Logic is implemented in this preference order : * crypto.policy *not* defined by default * if crypto.policy is defined, honour that setting. * if crypto.policy is not defined and legacy jars are present, honour them. * if crypto.policy is not defined and no legacy jars are present, use default of *unlimited*

Please see JDK-8169335 for more information about the final fallback choice.

FC Extension Request Work remaining: -------------------- Set the configure property default to "enabled" --disable-unlimited-crypto Disable unlimited crypto policy [enabled] Update the JDK 9 unit tests to reflect the new default Communicate change to other groups. Risk: ------ This is about opening up permissions. It's unlikely that this will break things, other than unit tests which depend on "limited" being the default. Justification: --------------- Oracle JDK/JRE has received approval to enable unlimited policy by default. This change combined with the recent changes to ship both the limited and unlimited policy files together will eliminate a major source of pain for many deployments and customers. This is a frequently requested change for many years. Date: ----- December 22nd, 2016. I expect my work can be completed earlier, but others might be impacted by this work and may need time to adjust. We will ProblemList any remaining unit tests not passing.

Most likely JDK impact with be unit tests. Finding/filing/fixing what we can, will ProblemList the ones we can't before Feature Complete Extended.

Can you add a comment to say how this relates to JDK-8169335? That is, is the plan to continue to default to "limited" when crypto.policy is not defined in the policy file.

The following bugs were discovered when enabling unlimited cryptographic policy by default. JDK-8170247 JDK-8170245