[
https://issues.apache.org/jira/browse/IMPALA-10206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wenzhe Zhou resolved IMPALA-10206.
----------------------------------
Fix Version/s: Impala 4.0
Resolution: Fixed
> Avoid MD5 Digest Authorization for debug Web Server in FIPS mode
> ----------------------------------------------------------------
>
> Key: IMPALA-10206
> URL: https://issues.apache.org/jira/browse/IMPALA-10206
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend
> Affects Versions: Impala 4.0
> Reporter: Wenzhe Zhou
> Assignee: Wenzhe Zhou
> Priority: Major
> Labels: FIPS
> Fix For: Impala 4.0
>
>
> Class Webserver (be/src/util/webserver.h) is defined as a wrapper class for
> the third party web server library - Squeasel. Squeasel supports the HTTP
> Digest Access Authorization with MD5 hash algorithm (RFC 2069, RFC 2617).
> Since the MD5 algorithm is not allowed in FIPS, HTTP Digest Authentication
> will not work with FIPS-certified^^ crypto library. In 2015, [RFC
> 7616|https://tools.ietf.org/html/rfc7616] replaced [RFC
> 2617|https://tools.ietf.org/html/rfc2617] by adding 4 new algorithms:
> "SHA-256", "SHA-256-sess", "SHA-512/256" and "SHA-512/256-sess". The encoding
> is equivalent to "MD5" and "MD5-sess" algorithms, with [MD5 hashing
> function|https://en.wikipedia.org/wiki/MD5] replaced with
> [SHA-256|https://en.wikipedia.org/wiki/SHA-256] and
> [SHA-512/256|https://en.wikipedia.org/wiki/SHA-512].
> In FIPS mode, it's better to support SHA-256 hash algorithm for HTTP Digest
> Authentication in Squeasel.
> Squeasel also use SHA-1 hash algorithms for WebSocket hands off. Since SHA-1
> is soon to be deprecated, we should replace SHA-1 with SHA-512. Note that
> WebSocket is only available when Squeasel is compiled with DUSE_WEBSOCKET,
> but Impala integrate Squeasel without defining USE_WEBSOCKET so WebSocket is
> not supported now. It's not urgent to replace SHA-1 with SHA-512.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
