[jboss-jira] [JBoss JIRA] (ELY-1369) FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant
Martin Choma (JIRA)
issues at jboss.org
Thu Jan 4 08:26:00 EST 2018
[ https://issues.jboss.org/browse/ELY-1369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13509303#comment-13509303 ]
Martin Choma commented on ELY-1369:
-----------------------------------
So do I understand correctly, that to enable new mechanisms only thing to do is to specify auth-method in web.xml to be DIGEST-SHA-256 or DIGEST-SHA-512-256 ?
> FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant
> --------------------------------------------------------------------------
>
> Key: ELY-1369
> URL: https://issues.jboss.org/browse/ELY-1369
> Project: WildFly Elytron
> Issue Type: Bug
> Components: HTTP
> Affects Versions: 1.2.0.Beta3
> Reporter: Jan Kalina
> Assignee: Jan Kalina
> Fix For: 1.2.0.Beta11
>
>
> Elytron HTTP DIGEST authentication comply to rfc2617 - which means MD5 is used by default (it means it is hardcode, with no way to configure another hash algorithm). But MD5 could make troubles in fips environment [5].
> {code:java|title=DigestAuthenticationMechanism.java}
> String algorithm = convertToken(ALGORITHM, responseTokens.get(ALGORITHM));
> if (MD5.equals(algorithm) == false) {
> throw log.mechUnsupportedAlgorithm(getMechanismName(), algorithm);
> }
> {code}
> There exists proposed rfc7616 which makes algorithm configurable, work on new DIGEST features are covered by [1]. [~dlofthouse] is it planned for [1] to target 7.1?
> [1] https://issues.jboss.org/browse/ELY-286
> [2] https://developer.jboss.org/wiki/ElytronHTTPDigestNonceHandling-Design
> [3] https://tools.ietf.org/html/rfc2617
> [4] https://tools.ietf.org/html/rfc7616
> [5] https://access.redhat.com/support/cases/#/case/01761455
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list