Details
-
Enhancement
-
Resolution: Fixed
-
P3
-
None
-
b16
Description
We should probably disable MD5 and SHA-1 in HTTP Digest authentication when used for tunneling or proxying and maybe other cases as well.
Note that RFC 7616 added support for stronger algorithms than MD5 but no longer recommends MD5 be used [1]:
"To maintain backwards compatibility with [RFC2617], the MD5 algorithm is still supported but NOT RECOMMENDED."
More details should be added as well as an assessment of the compatibility risk.
[1] https://datatracker.ietf.org/doc/html/rfc7616#section-3.2
Note that RFC 7616 added support for stronger algorithms than MD5 but no longer recommends MD5 be used [1]:
"To maintain backwards compatibility with [RFC2617], the MD5 algorithm is still supported but NOT RECOMMENDED."
More details should be added as well as an assessment of the compatibility risk.
[1] https://datatracker.ietf.org/doc/html/rfc7616#section-3.2
Attachments
Issue Links
- csr for
-
JDK-8282649 Disable http DIGEST mechanism with MD5 by default
-
- Closed
-
