FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant -------------------------------------------------------------------------- Key: ELY-1369 URL: https://issues.jboss.org/browse/ELY-1369 Project: WildFly Elytron Issue Type: Bug Components: HTTP Affects Versions: 1.2.0.Beta3 Reporter: Jan Kalina Assignee: Jan Kalina Labels: eap7.1.0-to-prd Elytron HTTP DIGEST authentication comply to rfc2617 - which means MD5 is used by default (it means it is hardcode, with no way to configure another hash algorithm). But MD5 could make troubles in fips environment [5]. {code:java|title=DigestAuthenticationMechanism.java} String algorithm = convertToken(ALGORITHM, responseTokens.get(ALGORITHM)); if (MD5.equals(algorithm) == false) { throw log.mechUnsupportedAlgorithm(getMechanismName(), algorithm); } {code} There exists proposed rfc7616 which makes algorithm configurable, work on new DIGEST features are covered by [1]. [~dlofthouse] is it planned for [1] to target 7.1? [1] https://issues.jboss.org/browse/ELY-286 [2] https://developer.jboss.org/wiki/ElytronHTTPDigestNonceHandling-Design [3] https://tools.ietf.org/html/rfc2617 [4] https://tools.ietf.org/html/rfc7616 [5] https://access.redhat.com/support/cases/#/case/01761455