Hi Jacques,

Doesn't the !MD5 mean Tomcat and OFBiz's default configuration is to *not*
allow MD5 even if a client requests it? So I think we're OK already.

Is it possible for us to leave out the ciphers property from OFBiz
altogether, so Tomcat's default rules would come into play, and as they
evolve over time OFBiz would naturally track them, without us having to
maintain our own copy?

Cheers

Paul Foxworthy


On 14 February 2018 at 00:03, Jacques Le Roux <jacques.le.r...@les7arts.com>
wrote:

> Hi,
>
> Following a recent "distribution policy : make .md5 optional" thread at
> us...@infra.apache.org and looking at https://en.wikipedia.org/wiki/MD5
>
> "Although MD5 was initially designed to be used as a cryptographic hash
> function <https://en.wikipedia.org/wiki/Cryptographic_hash_function>, it
> has been found to suffer from extensive vulnerabilities. It can still be
> used as a checksum <https://en.wikipedia.org/wiki/Checksum> to verify
> data integrity <https://en.wikipedia.org/wiki/Data_integrity>, but only
> against unintentional corruption."
>
> I was wondering so I checked and we no longer use MD5 anywhere but for
> last usable ciphers in Catalina ofbiz-component.xml
>
> I copied that recently from [1] and read now at [2] that MD5 is still
> used, though still almost at the end of the possible default ciphers.
>
> I also read at [3] "HOW TO -- Disable weak ciphers in Tomcat 7 & 8" how to
> used only nowadays reliable ciphers
>
> Maybe we could ask Tomcat user ML for advice, but reading
> https://wiki.apache.org/tomcat/Security/Ciphers it seems it's a tradeoff
> and we will get the same answer from the ML.
>
> What are your opinions? Should we follow [3] suggestion or let it as is
> OOTB and just warn users about that in a comment? Note that [4] is really
> complete and interesting, MD5 as a cypher is not recommended there.
>
> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html
>
> [2] http://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>
> [3] https://s.apache.org/h2vH
>
> [4] https://wiki.mozilla.org/Security/Server_Side_TLS
>
> Jacques
>



-- 
Coherent Software Australia Pty Ltd
PO Box 2773
Cheltenham Vic 3192
Australia

Phone: +61 3 9585 6788
Web: http://www.coherentsoftware.com.au/
Email: i...@coherentsoftware.com.au

Reply via email to