On Thu, 10 Mar 2022 16:43:23 GMT, Michael McMahon <[email protected]> wrote:
>> src/java.base/share/conf/security/java.security line 711:
>>
>>> 709: # separated list of algorithms to be allowed.
>>> 710: #
>>> 711: jdk.httpdigest.defaultDisabledAlgorithms = MD5, MD-5, SHA1, SHA-1
>>
>> I haven't seen people using "MD-5". It's also not an alias of "MD5" in our
>> own security providers. On the other hand, we support both "SHA1" and "SHA"
>> (and its OID) as aliases of "SHA-1". So, either we list all these aliases
>> here, or we only put the standard names here and "canonicalize" the name
>> when we see one. `sun.security.util.KnownOIDs.findMatch("SHA-1").stdName()`
>> can be used.
>
> The aliases are a PITA. It's a shame there isn't support in the public API to
> canonicalize the names. But, what I will do is canonicalize the incoming
> strings from the HTTP server and then we only have to list canonical names in
> the properties.
I think it would be more consistent if the namespace of the two properties were
the same. For example, consider renaming the security property to
"http.auth.digest.disabledAlgorithms". I don't think the "default" word adds
anything meaningful.
To avoid any confusion, I think you may also want to add a sentence describing
that these algorithms are only disabled when used over HTTP, and not HTTPS.
Because I think technically are they still called HTTP digest authentication
schemes even if used over HTTPS.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
