Hi Gary,
Thanks for replying. Let me explain in more detail.
We are using Contrast Security (see https://www.contrastsecurity.com/ ) to scan
our API service for security vulnerabilities.
Contrast Security is reporting a vulnerability pointing into the http client
library at the class SSLContextBuilder.
This is what Contrast Security is reporting:
----------------------
The code:
org.infoarmor.application.config.HttpClientConfiguration#sslContext(), line 170
...obtained a handle to the hashing algorithm seen here, which is considered
insecure:
digest = java.security.MessageDigest.getInstance("SHA-1")
What's the risk?
The hashing algorithm used, SHA-1, has been found by researchers to be unsafe
for protecting sensitive data with today's technology.
----------------------
I have tried using httpclient 4.5.13 throughout all our dependency tree but am
still seeing the vulnerability reported.
My next attempt was to exclude all references to the version 4 code and include
only version 5.1.3 code (GA latest). The problem I encountered, because we are
using Spring Boot 2.2.13 - an old version - was to get the http configuration
code we have to compile with the new version 5 of httpclient
(org.apache.hc.client5.http.* ). I can't get it to compile. Why? The Spring
boot class HttpComponentsMessageSender is looking for the version 4 httpclient
and not the version 5.
So back to httpclient 4.5.13 as a dependency. At least that compiles and
executes.
So now I am thinking --- How can I tell the http client 4 code to just use
SHA-2 as a hashing algorithm instead of SHA-1? There should be a way to
specify that in the security.properties file.
Is this the correct way to proceed or should I set the SHA-2 hashing algorithm
in out config code? Why would SHA-1 be the default in 4.5.13 if it is insecure?
Thanks for your help. It is greatly appreciated.
Joe
On 2/2/22, 6:44 PM, "Gary Gregory" <[email protected]> wrote:
Can you be more specific?
Gary
On Wed, Feb 2, 2022, 17:37 Joseph Simone <[email protected]> wrote:
> In which version of httpclient would
> 'SHA-1' hash algorithm used at SSLContextBuilder.java
> Be fixed?
> Thanks.
>
>
