RFR: 8281561: Disable http DIGEST mechanism with MD5 by default
Jaikiran Pai
jpai at openjdk.java.net
Sat Mar 5 15:11:06 UTC 2022
On Fri, 4 Mar 2022 09:37:21 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
> Hi,
>
> Could I get the following change reviewed please, which is to disable the MD5 message digest algorithm by default in the HTTP Digest authentication mechanism? The algorithm can be opted into by setting a new system property "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also updates the Digest authentication implementation to use some of the more secure features defined in RFC7616, such as username hashing and additional digest algorithms like SHA256 and SHA512-256.
>
> - Michael
src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java line 514:
> 512: if (getAuthType() == AuthCacheValue.Type.Server &&
> 513: getProtocolScheme().equals("https")) {
> 514: // HTTPS server authentication can use any algorithm
Hello Michael,
Should it be noted somewhere in the text of the linked CSR that the property values play no role if the request URL's scheme is HTTPS (and proxy isn't involved)?
As a related question - should the implementation even bother about this HTTP vs HTTPS protocol check? As far as I understand, the reason why we are proposing to disable support for MD5 is because of its cryptographic weakness/vulnerabilities. So irrespective of whether or not the computed MD5 (or any other disabled algorithm) digest value gets transferred over HTTP or HTTPS, the value would still be cryptographically vulnerable isn't it?
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list