[jira] [Updated] (ZOOKEEPER-3696) deprecate DigestAuthenticationProvider which uses broken SHA1

Enrico Olivelli (Jira) Fri, 20 Mar 2020 12:42:08 -0700


     [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Enrico Olivelli updated ZOOKEEPER-3696:
---------------------------------------
    Fix Version/s:     (was: 3.6.1)
                   3.6.2

> deprecate DigestAuthenticationProvider which uses broken SHA1
> -------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3696
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3696
>             Project: ZooKeeper
>          Issue Type: Task
>          Components: security
>            Reporter: Patrick D. Hunt
>            Priority: Blocker
>             Fix For: 3.7.0, 3.5.8, 3.6.2
>
>
> DigestAuthenticationProvider is using SHA1 which is known to be broken, eg 
> recently:
> https://shattered.io/
> https://sha-mbles.github.io/
> etc...
> We should mark DigestAuthenticationProvider as deprecated at a minimum, 
> perhaps even just remove it asap. The docs should also reflect this (ie don't 
> use)
> We could replace DigestAuthenticationProvider with 
> DigestAuthenticationProvider3 or similar (use SHA3, not SHA2 if we do so) Or 
> perhaps a version that allows the user to select? Regardless, would be good 
> to give a simple option to the end user.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (ZOOKEEPER-3696) deprecate DigestAuthenticationProvider which uses broken SHA1

Reply via email to