This information is useless :-(
Pay close notice to:
The code:
org.infoarmor.application.config.HttpClientConfiguration#sslContext(), line
170
...obtained a handle to the hashing algorithm seen here, which is
considered insecure:
digest = java.security.MessageDigest.getInstance("SHA-1")
What does this have to do with our project? Is org.infoarmor your own code?
Another library? Whose?
Gary
On Thu, Feb 3, 2022 at 12:57 PM Joseph Simone <jsim...@aip.com> wrote:
> Hi Gary,
> Thanks for replying. Let me explain in more detail.
>
> We are using Contrast Security (see https://www.contrastsecurity.com/ )
> to scan our API service for security vulnerabilities.
> Contrast Security is reporting a vulnerability pointing into the http
> client library at the class SSLContextBuilder.
>
> This is what Contrast Security is reporting:
> ----------------------
> The code:
> org.infoarmor.application.config.HttpClientConfiguration#sslContext(),
> line 170
> ...obtained a handle to the hashing algorithm seen here, which is
> considered insecure:
> digest = java.security.MessageDigest.getInstance("SHA-1")
>
> What's the risk?
> The hashing algorithm used, SHA-1, has been found by researchers to be
> unsafe for protecting sensitive data with today's technology.
> ----------------------
>
> I have tried using httpclient 4.5.13 throughout all our dependency tree
> but am still seeing the vulnerability reported.
> My next attempt was to exclude all references to the version 4 code and
> include only version 5.1.3 code (GA latest). The problem I encountered,
> because we are using Spring Boot 2.2.13 - an old version - was to get the
> http configuration code we have to compile with the new version 5 of
> httpclient (org.apache.hc.client5.http.* ). I can't get it to compile.
> Why? The Spring boot class HttpComponentsMessageSender is looking for the
> version 4 httpclient and not the version 5.
>
> So back to httpclient 4.5.13 as a dependency. At least that compiles and
> executes.
>
> So now I am thinking --- How can I tell the http client 4 code to just use
> SHA-2 as a hashing algorithm instead of SHA-1? There should be a way to
> specify that in the security.properties file.
>
> Is this the correct way to proceed or should I set the SHA-2 hashing
> algorithm in out config code? Why would SHA-1 be the default in 4.5.13 if
> it is insecure?
>
> Thanks for your help. It is greatly appreciated.
>
> Joe
>
>
>
> On 2/2/22, 6:44 PM, "Gary Gregory" <garydgreg...@gmail.com> wrote:
>
> Can you be more specific?
>
> Gary
>
> On Wed, Feb 2, 2022, 17:37 Joseph Simone <jsim...@aip.com> wrote:
>
> > In which version of httpclient would
> > 'SHA-1' hash algorithm used at SSLContextBuilder.java
> > Be fixed?
> > Thanks.
> >
> >
>
>
