RFR: 8281561: Disable http DIGEST mechanism with MD5 by default
Daniel Fuchs
dfuchs at openjdk.java.net
Fri Mar 4 13:09:08 UTC 2022
On Fri, 4 Mar 2022 12:29:28 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
> > So, maybe, we could have a 2nd net property with the default disabled algorithms and in net.properties we identify MD5 only for now. Users could add to that list if they want or even specify it on the command line. I think it's potentially confusing, but maybe there is a case for adding to the disabled list. I need to think about a way to do this without subvertng the point about making the user explicitly opt in.
>
> Thinking about it again, I wonder if we should just deprecate SHA-1 at the same time. I think there will be less compatibility impact than with MD5, and it's basically broken as well. I don't see a reason to opt out of other algorithms at this time.
I see - maybe we should have a security property identifying the list of algorithm that are disabled, and then a system property to reenable them?
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list