[jboss-jira] [JBoss JIRA] (ELY-1369) FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant

Darran Lofthouse (JIRA) issues at jboss.org
Wed Sep 20 07:52:00 EDT 2017 

    [ https://issues.jboss.org/browse/ELY-1369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13466215#comment-13466215 ] 

Darran Lofthouse commented on ELY-1369:
---------------------------------------

At this stage - no nothing else is planned for EAP 7.1.

The reason we don't support stronger hashes for HTTP Digest is we have no client that supports stronger hashes for HTTP Digest.  At this stage however no problem with us picking up issues like that as during the course of WildFly Elytron 1.2.x development hopefully we will be able to pick up some client side HTTP authentication enhancements so if the server side already supported it we would be ready.


> FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant
> --------------------------------------------------------------------------
>
>                 Key: ELY-1369
>                 URL: https://issues.jboss.org/browse/ELY-1369
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: HTTP
>    Affects Versions: 1.2.0.Beta3
>            Reporter: Jan Kalina
>            Assignee: Jan Kalina
>              Labels: eap7.1.0-to-prd
>
> Elytron HTTP DIGEST authentication comply to rfc2617 - which means MD5 is used by default (it means it is hardcode, with no way to configure another hash algorithm). But MD5 could make troubles in fips environment [5].
> {code:java|title=DigestAuthenticationMechanism.java}
>         String algorithm = convertToken(ALGORITHM, responseTokens.get(ALGORITHM));
>         if (MD5.equals(algorithm) == false) {
>             throw log.mechUnsupportedAlgorithm(getMechanismName(), algorithm);
>         }
> {code}
> There exists proposed rfc7616 which makes algorithm configurable, work on new DIGEST features are covered by [1]. [~dlofthouse] is it planned for [1] to target 7.1? 
> [1] https://issues.jboss.org/browse/ELY-286
> [2] https://developer.jboss.org/wiki/ElytronHTTPDigestNonceHandling-Design
> [3] https://tools.ietf.org/html/rfc2617
> [4] https://tools.ietf.org/html/rfc7616
> [5] https://access.redhat.com/support/cases/#/case/01761455



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list