[jboss-jira] [JBoss JIRA] (JBAS-9453) org/jboss/system/server/profileservice/repository/AbstractAttachmentStore.java should not be hard-coded to use MD5 message digest

jaikiran pai (Commented) (JIRA) jira-events at lists.jboss.org
Fri Dec 23 02:52:11 EST 2011 

    [ https://issues.jboss.org/browse/JBAS-9453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12652977#comment-12652977 ] 

jaikiran pai commented on JBAS-9453:
------------------------------------

There's no more work going on for AS5 or AS6 community versions, since there will be no more releases of that series. If you have a support/paid account for JBoss EAP, please contact the support team who should be able to help you.

                
> org/jboss/system/server/profileservice/repository/AbstractAttachmentStore.java should not be hard-coded to use MD5 message digest
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: JBAS-9453
>                 URL: https://issues.jboss.org/browse/JBAS-9453
>             Project: Application Server 3, 4, 5 and 6
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: System service
>    Affects Versions: JBossAS-5.1.0.GA
>         Environment: IBM JDK6 with security add-ons for FIPS compliance, AIX server
>            Reporter: Nicholas DiPiazza
>              Labels: AbstractAttachmentStore, FIPS, MD5
>
> We have a requirement that we cannot use weak security algorithms in our environment. We are using JBoss 5.1.0 GA. However org/jboss/system/server/profileservice/repository/AbstractAttachmentStore.java seems to be hard-coded to use MD5, which is not an acceptable hashing algorithm for us.
> We are aware this usage of MD5 in this instance isn't really for security purposes and should be allowed... but unfortunately in our FIPS setup for the IBM JDK removes MD5 from Java. So we get a "MD5 is not an installed security algorithm" error message. 
> Is there some way besides changing the source code ourselves and hard-coding it to a stronger algorithm? It would be nice if it would try SHA, etc. and some others and only choose to use MD5 if it can't find stronger ones.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list