On Fri, 4 Mar 2022 09:37:21 GMT, Michael McMahon <micha...@openjdk.org> wrote:
> Hi, > > Could I get the following change reviewed please, which is to disable the MD5 > message digest algorithm by default in the HTTP Digest authentication > mechanism? The algorithm can be opted into by setting a new system property > "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also > updates the Digest authentication implementation to use some of the more > secure features defined in RFC7616, such as username hashing and additional > digest algorithms like SHA256 and SHA512-256. > > - Michael src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java line 514: > 512: if (getAuthType() == AuthCacheValue.Type.Server && > 513: getProtocolScheme().equals("https")) { > 514: // HTTPS server authentication can use any algorithm Hello Michael, Should it be noted somewhere in the text of the linked CSR that the property values play no role if the request URL's scheme is HTTPS (and proxy isn't involved)? As a related question - should the implementation even bother about this HTTP vs HTTPS protocol check? As far as I understand, the reason why we are proposing to disable support for MD5 is because of its cryptographic weakness/vulnerabilities. So irrespective of whether or not the computed MD5 (or any other disabled algorithm) digest value gets transferred over HTTP or HTTPS, the value would still be cryptographically vulnerable isn't it? ------------- PR: https://git.openjdk.java.net/jdk/pull/7688