RFR: 8281561: Disable http DIGEST mechanism with MD5 by default [v2]

Sean Mullan mullan at openjdk.java.net
Thu Mar 10 17:45:44 UTC 2022


On Thu, 10 Mar 2022 16:43:23 GMT, Michael McMahon <michaelm at openjdk.org> wrote:

>> src/java.base/share/conf/security/java.security line 711:
>> 
>>> 709: # separated list of algorithms to be allowed.
>>> 710: #
>>> 711: jdk.httpdigest.defaultDisabledAlgorithms = MD5, MD-5, SHA1, SHA-1
>> 
>> I haven't seen people using "MD-5". It's also not an alias of "MD5" in our own security providers. On the other hand, we support both "SHA1" and "SHA" (and its OID) as aliases of "SHA-1". So, either we list all these aliases here, or we only put the standard names here and "canonicalize" the name when we see one. `sun.security.util.KnownOIDs.findMatch("SHA-1").stdName()` can be used.
>
> The aliases are a PITA. It's a shame there isn't support in the public API to canonicalize the names. But, what I will do is canonicalize the incoming strings from the HTTP server and then we only have to list canonical names in the properties.

I think it would be more consistent if the namespace of the two properties were the same. For example, consider renaming the security property to "http.auth.digest.disabledAlgorithms". I don't think the "default" word adds anything meaningful.

To avoid any confusion, I think you may also want to add a sentence describing that these algorithms are only disabled when used over HTTP, and not HTTPS.  Because I think technically are they still called HTTP digest authentication schemes even if used over HTTPS.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7688


More information about the net-dev mailing list