-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
7.1.0.DR18
-
-
-
-
-
-
The upstream issue
ELY-1369is resolved in 7.2.0.
Elytron HTTP DIGEST authentication comply to rfc2617 - which means MD5 is used by default (it means it is hardcode, with no way to configure another hash algorithm). But MD5 could make troubles in fips environment [5].
String algorithm = convertToken(ALGORITHM, responseTokens.get(ALGORITHM)); if (MD5.equals(algorithm) == false) { throw log.mechUnsupportedAlgorithm(getMechanismName(), algorithm); }
There exists proposed rfc7616 which makes algorithm configurable, work on new DIGEST features are covered by [1]. dlofthouse is it planned for [1] to target 7.1?
[1] https://issues.jboss.org/browse/ELY-286
[2] https://developer.jboss.org/wiki/ElytronHTTPDigestNonceHandling-Design
[3] https://tools.ietf.org/html/rfc2617
[4] https://tools.ietf.org/html/rfc7616
[5] https://access.redhat.com/support/cases/#/case/01761455
- blocks
-
JBEAP-4120 FIPS mode issues
- Resolved
- is cloned by
-
ELY-1369 FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant
- Resolved