Also, SHA-1 is not automatically "unsafe", and SHA-256 automatically "safe". Everything has a context, and the context is missing here. Shawn provides a context, that likely shows that SHA-1 is in use, and providing better than no security, and less than latest recommendations, which is the reality of much of the web today. So you can dislike that things aren't perfect, but it takes more than a one-line code change to fix such a problem. In the context of HttpComponents, there is no evidence provided that HttpComponents is doing anything wrong. It's doing what it is supposed to, or if not - the original reporter should propose what they think the problem is, and why they think it should be fixed. This will likely be rejected, as once the discussion gets into the real problem, the problem is likely outside the HttpComponents project entirely, as Shawn helpfully describes.
On Sat, Feb 5, 2022 at 12:23 AM Shawn Heisey <[email protected]> wrote: > On 2/4/2022 1:15 PM, Joseph Simone wrote: > > Maybe we got started off with the wrong details here. > > How or where can I set the MessageDigest to SHA-256 ... > > > > MessageDigest safeDigester = MessageDigest.getInstance("SHA-256"); // Safe! > > > > Whatever the default is, it seems to be insecure. I think the problem is a > > simple matter on my side of missing an httpclient configuration setting. > > If I'm not mistaken (and I very well could be) ... that refers to the > details in the SSL certificate. Chances are that the certificate on the > website you're contacting is using the less secure hashing algorithm. > Therefore the code that uses the certificate will also be using SHA1. > > First hit on a google search. I have no personal connection to > digicert, though I do have a friend who works there: > > https://www.digicert.com/faq/sha2/transitioning-to-sha-2.htm > > If the certificate is not within your control, then you need to talk to > whoever manages the website and ask them to fix their cert. > > If the cert IS under your control: In some cases, the hashing algorithm > of the final certificate will be determined from a certificate signing > request that you provide to the CA. But I think that most public CAs > these days do not pay attention to anything in a CSR except the public > key, and if that is the case, the hashing algorithm will be entirely up > to the CA. > > If this is a client cert and not a server cert, then chances are that it > is under your control. If you run your own CA, you should talk to the > vendor or project for that software about how to have it issue SHA-2 > certificates. If you use a public CA for client certs, ask them how to > obtain upgraded certs. -- Mark Mielke <[email protected]> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
