Summary
Disable by default the MD5 message digest algorithm in HTTP Digest authentication, and define a new system property to re-enable this or any other such disabled algorithms. SHA-1 will also be disabled at this time.
Problem
MD5 is accepted as an insecure digest algorithm and is deprecated in RFC 7616. We need to disable its use by default while allowing users to opt in to using it if required. SHA-1 is also being disabled.
Solution
By default, if a HTTP server proposes MD5, or SHA-1 then the HTTP request will fail with an IOException describing the issue. In addition a message will be logged with more information including how to re-enable the algorithm.
Specification
Add the following text to net-properties.html
<LI><P><B>{@systemProperty http.auth.digest.reEnabledAlgorithms}</B> (default: <none>)<BR>
By default, certain message digest algorithms are disabled for use in HTTP Digest
authentication due to their proven security limitations. This only applies to proxy
authentication and plain-text HTTP server authentication. Disabled algorithms are still
usable for HTTPS server authentication. The default list of disabled algorithms is specified
in the {@code java.security} properties file and currently comprises {@code MD5} and
{@code SHA-1}. If it is still required to use one of these algorithms, then they can be
re-enabled by setting this property to a comma separated list of the algorithm names.</P> Add the following to the java.security properties file
#
# Disabled message digest algorithms for use with plaintext
# HTTP Digest authentication (java.net.HttpURLConnection).
# This includes HTTPS Digest authentication to proxies.
# This may be overridden by setting the networking (or system)
# property "http.auth.digest.reEnabledAlgorithms" to a comma
# separated list of algorithms to be allowed.
#
http.auth.digest.disabledAlgorithms = MD5, SHA-1- csr of
-
JDK-8281561 Disable http DIGEST mechanism with MD5 and SHA-1 by default
-
- Resolved
-