[jboss-jira] [JBoss JIRA] (JBAS-9453) org/jboss/system/server/profileservice/repository/AbstractAttachmentStore.java seems to be hard-coded to use MD5 message digest

Nicholas DiPiazza (Updated) (JIRA) jira-events at lists.jboss.org
Fri Dec 16 10:22:09 EST 2011 

     [ https://issues.jboss.org/browse/JBAS-9453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nicholas DiPiazza updated JBAS-9453:
------------------------------------

     Issue Type: Bug  (was: Enhancement)
    Environment: IBM JDK6 with security add-ons for FIPS compliance, AIX server
    Component/s: System service

    
> org/jboss/system/server/profileservice/repository/AbstractAttachmentStore.java seems to be hard-coded to use MD5 message digest
> -------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: JBAS-9453
>                 URL: https://issues.jboss.org/browse/JBAS-9453
>             Project: Legacy JBoss Application Server 6 
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: System service
>    Affects Versions: JBossAS-5.1.0.GA
>         Environment: IBM JDK6 with security add-ons for FIPS compliance, AIX server
>            Reporter: Nicholas DiPiazza
>              Labels: AbstractAttachmentStore, FIPS, MD5
>
> We have a requirement that we cannot use weak security algorithms in our environment. We are using JBoss 5.1.0 GA. However org/jboss/system/server/profileservice/repository/AbstractAttachmentStore.java seems to be hard-coded to use MD5, which is not an acceptable hashing algorithm for us.
> We are aware this usage of MD5 in this instance isn't really for security purposes and should be allowed... but unfortunately in our FIPS setup for the IBM JDK removes MD5 from Java. So we get a "MD5 is not an installed security algorithm" error message. 
> Is there some way besides changing the source code ourselves and hard-coding it to a stronger algorithm? It would be nice if it would try SHA, etc. and some others and only choose to use MD5 if it can't find stronger ones.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list