RFR: 8281561: Disable http DIGEST mechanism with MD5 by default [v2]
Michael McMahon
michaelm at openjdk.java.net
Wed Mar 9 14:31:04 UTC 2022
On Mon, 7 Mar 2022 20:35:13 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Michael McMahon has updated the pull request incrementally with two additional commits since the last revision:
>>
>> - update
>> - update after first review round
>
> src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java line 514:
>
>> 512: if (getAuthType() == AuthCacheValue.Type.Server &&
>> 513: getProtocolScheme().equals("https")) {
>> 514: // HTTPS server authentication can use any algorithm
>
> A more security conscious user may want to disable MD5 digest authentication, even when used over HTTPS, even though the risks are far less than when used over HTTP. Is there a way to do that?
There isn't a way to do that currently. I'd prefer not to further complicate the configuration to allow it. It would probably be a lot simpler to just disable MD5 across the board for proxy and server instead? We're including SHA-1 in that list now as well by the way.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list