[
https://issues.apache.org/jira/browse/IMPALA-10206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17218811#comment-17218811
]
Wenzhe Zhou commented on IMPALA-10206:
--------------------------------------
Tried to add code to support SHA-256 in Squeasel Web Server, but browser Chrome
don't support it. Cannot find a client/browser to verify the code change.
The successor of RFC 2617 adds support for SHA-256 instead of MD5 and makes the
qop field mandatory thus making the whole authentication more secure. However,
no major browser/client (Edge, FF, Chrome, Opera, curl) supports it.
Most sites don't use any of the HTTP authentication mechanism, i.e. Basic
Authentication or MD5 based Digest Authentication, because these mechanisms are
very limited in what they offer. It is not even possible to logout using these
authentication mechanisms. But even the few sites which use HTTP authentication
usually prefer basic authentication over HTTPS instead of digest
authentication, since the last one requires that the passwords are stored at
the server as plain text or equivalent, which of course is bad from a security
perspective. The only advantage digest authentication has against other
authentication forms is if is used with unencrypted connections. But in FIPS
environment, TLS is already enabled.
Verified on a FIPS enabled cluster that SPNEGO authentication mode is used for
Impala Web server. So we don't need to support SHA-256 for HTTP digest
authentication. Instead, make sure MD5 digest authentication is not used in
FIPS enabled environment.
> Avoid MD5 Digest Authorization for debug Web Server in FIPS mode
> ----------------------------------------------------------------
>
> Key: IMPALA-10206
> URL: https://issues.apache.org/jira/browse/IMPALA-10206
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend
> Affects Versions: Impala 4.0
> Reporter: Wenzhe Zhou
> Assignee: Wenzhe Zhou
> Priority: Major
> Labels: FIPS
>
> Class Webserver (be/src/util/webserver.h) is defined as a wrapper class for
> the third party web server library - Squeasel. Squeasel supports the HTTP
> Digest Access Authorization with MD5 hash algorithm (RFC 2069, RFC 2617).
> Since the MD5 algorithm is not allowed in FIPS, HTTP Digest Authentication
> will not work with FIPS-certified^^ crypto library. In 2015, [RFC
> 7616|https://tools.ietf.org/html/rfc7616] replaced [RFC
> 2617|https://tools.ietf.org/html/rfc2617] by adding 4 new algorithms:
> "SHA-256", "SHA-256-sess", "SHA-512/256" and "SHA-512/256-sess". The encoding
> is equivalent to "MD5" and "MD5-sess" algorithms, with [MD5 hashing
> function|https://en.wikipedia.org/wiki/MD5] replaced with
> [SHA-256|https://en.wikipedia.org/wiki/SHA-256] and
> [SHA-512/256|https://en.wikipedia.org/wiki/SHA-512].
> In FIPS mode, it's better to support SHA-256 hash algorithm for HTTP Digest
> Authentication in Squeasel.
> Squeasel also use SHA-1 hash algorithms for WebSocket hands off. Since SHA-1
> is soon to be deprecated, we should replace SHA-1 with SHA-512. Note that
> WebSocket is only available when Squeasel is compiled with DUSE_WEBSOCKET,
> but Impala integrate Squeasel without defining USE_WEBSOCKET so WebSocket is
> not supported now. It's not urgent to replace SHA-1 with SHA-512.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
