Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8281561

Disable http DIGEST mechanism with MD5 and SHA-1 by default

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 19
    • Component/s: core-libs
    • Subcomponent:
    • Resolved In Build:
      b16

      Description

      We should probably disable MD5 and SHA-1 in HTTP Digest authentication when used for tunneling or proxying and maybe other cases as well.

      Note that RFC 7616 added support for stronger algorithms than MD5 but no longer recommends MD5 be used [1]:

      "To maintain backwards compatibility with [RFC2617], the MD5 algorithm is still supported but NOT RECOMMENDED."

      More details should be added as well as an assessment of the compatibility risk.

      [1] https://datatracker.ietf.org/doc/html/rfc7616#section-3.2

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              michaelm Michael McMahon
              Reporter:
              mullan Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: