On Fri, 4 Mar 2022 09:37:21 GMT, Michael McMahon <micha...@openjdk.org> wrote:

> Hi,
> 
> Could I get the following change reviewed please, which is to disable the MD5 
> message digest algorithm by default in the HTTP Digest authentication 
> mechanism? The algorithm can be opted into by setting a new system property 
> "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also 
> updates the Digest authentication implementation to use some of the more 
> secure features defined in RFC7616, such as username hashing and additional 
> digest algorithms like SHA256 and SHA512-256.
> 
> - Michael

src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java 
line 514:

> 512:         if (getAuthType() == AuthCacheValue.Type.Server &&
> 513:                 getProtocolScheme().equals("https")) {
> 514:             // HTTPS server authentication can use any algorithm

A more security conscious user may want to disable MD5 digest authentication, 
even when used over HTTPS, even though the risks are far less than when used 
over HTTP. Is there a way to do that?

-------------

PR: https://git.openjdk.java.net/jdk/pull/7688

Reply via email to