Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
JBossAS-5.1.0.GA
Description
We have a requirement that we cannot use weak security algorithms in our environment. We are using JBoss 5.1.0 GA. However org/jboss/system/server/profileservice/repository/AbstractAttachmentStore.java seems to be hard-coded to use MD5, which is not an acceptable hashing algorithm for us.
We are aware this usage of MD5 in this instance isn't really for security purposes and should be allowed... but unfortunately in our FIPS setup for the IBM JDK removes MD5 from Java. So we get a "MD5 is not an installed security algorithm" error message.
Is there some way besides changing the source code ourselves and hard-coding it to a stronger algorithm? It would be nice if it would try SHA, etc. and some others and only choose to use MD5 if it can't find stronger ones.
