On Fri, 4 Mar 2022 09:37:21 GMT, Michael McMahon <[email protected]> wrote:
> Hi,
>
> Could I get the following change reviewed please, which is to disable the MD5
> message digest algorithm by default in the HTTP Digest authentication
> mechanism? The algorithm can be opted into by setting a new system property
> "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also
> updates the Digest authentication implementation to use some of the more
> secure features defined in RFC7616, such as username hashing and additional
> digest algorithms like SHA256 and SHA512-256.
>
> - Michael
src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java
line 514:
> 512: if (getAuthType() == AuthCacheValue.Type.Server &&
> 513: getProtocolScheme().equals("https")) {
> 514: // HTTPS server authentication can use any algorithm
Hello Michael,
Should it be noted somewhere in the text of the linked CSR that the property
values play no role if the request URL's scheme is HTTPS (and proxy isn't
involved)?
As a related question - should the implementation even bother about this HTTP
vs HTTPS protocol check? As far as I understand, the reason why we are
proposing to disable support for MD5 is because of its cryptographic
weakness/vulnerabilities. So irrespective of whether or not the computed MD5
(or any other disabled algorithm) digest value gets transferred over HTTP or
HTTPS, the value would still be cryptographically vulnerable isn't it?
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
