RFR: 8281561: Disable http DIGEST mechanism with MD5 and SHA-1 by default [v8]
Daniel Fuchs
dfuchs at openjdk.java.net
Mon Mar 28 09:32:49 UTC 2022
On Mon, 28 Mar 2022 08:22:26 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
>> src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java line 524:
>>
>>> 522: }
>>> 523:
>>> 524: boolean session = algorithm.endsWith ("-sess");
>>
>> should that be `digest.endsWith("-sess");` ?
>
> No, the digest field refers to the actual message digest algorithm (as known to the security libraries). The algorithm field holds the algorithm name as it is defined in RFC7616.
I am confused here - because you converted `algorithm` to upper case, so it should never end with `-sess`?
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list