This information is useless :-( Pay close notice to:
The code: org.infoarmor.application.config.HttpClientConfiguration#sslContext(), line 170 ...obtained a handle to the hashing algorithm seen here, which is considered insecure: digest = java.security.MessageDigest.getInstance("SHA-1") What does this have to do with our project? Is org.infoarmor your own code? Another library? Whose? Gary On Thu, Feb 3, 2022 at 12:57 PM Joseph Simone <jsim...@aip.com> wrote: > Hi Gary, > Thanks for replying. Let me explain in more detail. > > We are using Contrast Security (see https://www.contrastsecurity.com/ ) > to scan our API service for security vulnerabilities. > Contrast Security is reporting a vulnerability pointing into the http > client library at the class SSLContextBuilder. > > This is what Contrast Security is reporting: > ---------------------- > The code: > org.infoarmor.application.config.HttpClientConfiguration#sslContext(), > line 170 > ...obtained a handle to the hashing algorithm seen here, which is > considered insecure: > digest = java.security.MessageDigest.getInstance("SHA-1") > > What's the risk? > The hashing algorithm used, SHA-1, has been found by researchers to be > unsafe for protecting sensitive data with today's technology. > ---------------------- > > I have tried using httpclient 4.5.13 throughout all our dependency tree > but am still seeing the vulnerability reported. > My next attempt was to exclude all references to the version 4 code and > include only version 5.1.3 code (GA latest). The problem I encountered, > because we are using Spring Boot 2.2.13 - an old version - was to get the > http configuration code we have to compile with the new version 5 of > httpclient (org.apache.hc.client5.http.* ). I can't get it to compile. > Why? The Spring boot class HttpComponentsMessageSender is looking for the > version 4 httpclient and not the version 5. > > So back to httpclient 4.5.13 as a dependency. At least that compiles and > executes. > > So now I am thinking --- How can I tell the http client 4 code to just use > SHA-2 as a hashing algorithm instead of SHA-1? There should be a way to > specify that in the security.properties file. > > Is this the correct way to proceed or should I set the SHA-2 hashing > algorithm in out config code? Why would SHA-1 be the default in 4.5.13 if > it is insecure? > > Thanks for your help. It is greatly appreciated. > > Joe > > > > On 2/2/22, 6:44 PM, "Gary Gregory" <garydgreg...@gmail.com> wrote: > > Can you be more specific? > > Gary > > On Wed, Feb 2, 2022, 17:37 Joseph Simone <jsim...@aip.com> wrote: > > > In which version of httpclient would > > 'SHA-1' hash algorithm used at SSLContextBuilder.java > > Be fixed? > > Thanks. > > > > > >