Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1369

FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 1.2.0.Beta11
    • 1.2.0.Beta3
    • HTTP
    • None

    Description

      Elytron HTTP DIGEST authentication comply to rfc2617 - which means MD5 is used by default (it means it is hardcode, with no way to configure another hash algorithm). But MD5 could make troubles in fips environment [5].

      DigestAuthenticationMechanism.java
              String algorithm = convertToken(ALGORITHM, responseTokens.get(ALGORITHM));
        if (MD5.equals(algorithm) == false) {
            throw log.mechUnsupportedAlgorithm(getMechanismName(), algorithm);
        }

      There exists proposed rfc7616 which makes algorithm configurable, work on new DIGEST features are covered by [1]. dlofthouse is it planned for [1] to target 7.1?

      [1] https://issues.jboss.org/browse/ELY-286
      [2] https://developer.jboss.org/wiki/ElytronHTTPDigestNonceHandling-Design
      [3] https://tools.ietf.org/html/rfc2617
      [4] https://tools.ietf.org/html/rfc7616
      [5] https://access.redhat.com/support/cases/#/case/01761455

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-10920 FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is incorporated by

          Feature Request - Feature requests from customers and/or users ELY-286 HTTP Digest Authentication

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Open
          is related to

          Feature Request - Feature requests from customers and/or users ELY-54 Support for stronger hashes as alternatives to MD5

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: