RFR: 8281561: Disable http DIGEST mechanism with MD5 by default

Michael McMahon michaelm at openjdk.java.net
Fri Mar 4 12:25:05 UTC 2022


On Fri, 4 Mar 2022 12:12:25 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:

> > I considered that and implemented it that way at the start, but what you would end up with then is users running their code with something like: -DdisabledAlgNames=""
> > I find that style leads to a much less explicit "opting in" than by making the user explicitly identify the deprecated algorithm by name.
> 
> Right - but it would also allow users to opt-in to disable more algorithms by listing them in the property

In practical terms, the only other likely candidate there is SHA-1. If that weren't the case, I'd disagree with your point.

So, maybe, we could have a 2nd net property with the default disabled algorithms and in net.properties we identify MD5 only for now. Users could add to that list if they want or even specify it on the command line. I think it's potentially confusing, but maybe there is a case for adding to the disabled list. I need to think about a way to do this without subvertng the point about making the user explicitly opt in.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7688


More information about the net-dev mailing list