Integrated: 8281561: Disable http DIGEST mechanism with MD5 and SHA-1 by default
Michael McMahon
michaelm at openjdk.java.net
Mon Mar 28 13:56:53 UTC 2022
On Fri, 4 Mar 2022 09:37:21 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
> Hi,
>
> Could I get the following change reviewed please, which is to disable the MD5 message digest algorithm by default in the HTTP Digest authentication mechanism? The algorithm can be opted into by setting a new system property "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also updates the Digest authentication implementation to use some of the more secure features defined in RFC7616, such as username hashing and additional digest algorithms like SHA256 and SHA512-256.
>
> - Michael
This pull request has now been integrated.
Changeset: 7f2a3ca2
Author: Michael McMahon <michaelm at openjdk.org>
URL: https://git.openjdk.java.net/jdk/commit/7f2a3ca289ae14bec1af24d0a51e98ba697ce9c1
Stats: 585 lines in 14 files changed: 490 ins; 14 del; 81 mod
8281561: Disable http DIGEST mechanism with MD5 and SHA-1 by default
Reviewed-by: weijun, dfuchs
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list