[
https://issues.apache.org/jira/browse/IMPALA-10206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wenzhe Zhou updated IMPALA-10206:
---------------------------------
Description:
Class Webserver (be/src/util/webserver.h) is defined as a wrapper class for the
third party web server library - Squeasel. Squeasel supports the HTTP Digest
Access Authorization with MD5 hash algorithm (RFC 2069, RFC 2617). Since the
MD5 algorithm is not allowed in FIPS, HTTP Digest Authentication will not work
with FIPS-certified^^ crypto library. In 2015, [RFC
7616|https://tools.ietf.org/html/rfc7616] replaced [RFC
2617|https://tools.ietf.org/html/rfc2617] by adding 4 new algorithms:
"SHA-256", "SHA-256-sess", "SHA-512/256" and "SHA-512/256-sess". The encoding
is equivalent to "MD5" and "MD5-sess" algorithms, with [MD5 hashing
function|https://en.wikipedia.org/wiki/MD5] replaced with
[SHA-256|https://en.wikipedia.org/wiki/SHA-256] and
[SHA-512/256|https://en.wikipedia.org/wiki/SHA-512].
In FIPS mode, we should support SHA-256 hash algorithm for HTTP Digest
Authentication in Squeasel.
Squeasel also use SHA-1 hash algorithms for WebSocket hands off. Since SHA-1 is
soon to be deprecated, we should replace SHA-1 with SHA-512. Note that
WebSocket is only available when Squeasel is compiled with DUSE_WEBSOCKET, but
Impala integrate Squeasel without defining USE_WEBSOCKET so WebSocket is not
supported now. It's not urgent to replace SHA-1 with SHA-512.
was:
Class Webserver (be/src/util/webserver.h) is defined as a wrapper class for the
third party web server library - Squeasel. Squeasel supports the HTTP Digest
Access Authorization with MD5 hash algorithm (RFC 2069, RFC 2617). Since the
MD5 algorithm is not allowed in FIPS, HTTP Digest Authentication will not work
with FIPS-certified^^ crypto library. In 2015, [RFC
7616|https://tools.ietf.org/html/rfc7616] replaced [RFC
2617|https://tools.ietf.org/html/rfc2617] by adding 4 new algorithms:
"SHA-256", "SHA-256-sess", "SHA-512" and "SHA-512-sess". The encoding is
equivalent to "MD5" and "MD5-sess" algorithms, with [MD5 hashing
function|https://en.wikipedia.org/wiki/MD5] replaced with
[SHA-256|https://en.wikipedia.org/wiki/SHA-256] and
[SHA-512|https://en.wikipedia.org/wiki/SHA-512].
To support FIPS, we need to support SHA-512 hash algorithm for HTTP Digest
Authentication in Squeasel.
Squeasel also use SHA-1 hash algorithms for WebSocket hands off. Since SHA-1 is
soon to be deprecated, we should replace SHA-1 with SHA-512. Note that
WebSocket is only available when Squeasel is compiled with DUSE_WEBSOCKET, but
Impala integrate Squeasel without defining USE_WEBSOCKET so WebSocket is not
supported now. It's not urgent to replace SHA-1 with SHA-512.
> Avoid MD5 Digest Authorization for debug Web Server in FIPS mode
> ----------------------------------------------------------------
>
> Key: IMPALA-10206
> URL: https://issues.apache.org/jira/browse/IMPALA-10206
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend
> Affects Versions: Impala 4.0
> Reporter: Wenzhe Zhou
> Assignee: Wenzhe Zhou
> Priority: Major
> Labels: FIPS
>
> Class Webserver (be/src/util/webserver.h) is defined as a wrapper class for
> the third party web server library - Squeasel. Squeasel supports the HTTP
> Digest Access Authorization with MD5 hash algorithm (RFC 2069, RFC 2617).
> Since the MD5 algorithm is not allowed in FIPS, HTTP Digest Authentication
> will not work with FIPS-certified^^ crypto library. In 2015, [RFC
> 7616|https://tools.ietf.org/html/rfc7616] replaced [RFC
> 2617|https://tools.ietf.org/html/rfc2617] by adding 4 new algorithms:
> "SHA-256", "SHA-256-sess", "SHA-512/256" and "SHA-512/256-sess". The encoding
> is equivalent to "MD5" and "MD5-sess" algorithms, with [MD5 hashing
> function|https://en.wikipedia.org/wiki/MD5] replaced with
> [SHA-256|https://en.wikipedia.org/wiki/SHA-256] and
> [SHA-512/256|https://en.wikipedia.org/wiki/SHA-512].
> In FIPS mode, we should support SHA-256 hash algorithm for HTTP Digest
> Authentication in Squeasel.
> Squeasel also use SHA-1 hash algorithms for WebSocket hands off. Since SHA-1
> is soon to be deprecated, we should replace SHA-1 with SHA-512. Note that
> WebSocket is only available when Squeasel is compiled with DUSE_WEBSOCKET,
> but Impala integrate Squeasel without defining USE_WEBSOCKET so WebSocket is
> not supported now. It's not urgent to replace SHA-1 with SHA-512.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
