Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10920

FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Major
    • None
    • 7.1.0.DR18
    • Security

    Description

      Elytron HTTP DIGEST authentication comply to rfc2617 - which means MD5 is used by default (it means it is hardcode, with no way to configure another hash algorithm). But MD5 could make troubles in fips environment [5].

      DigestAuthenticationMechanism.java
              String algorithm = convertToken(ALGORITHM, responseTokens.get(ALGORITHM));
        if (MD5.equals(algorithm) == false) {
            throw log.mechUnsupportedAlgorithm(getMechanismName(), algorithm);
        }

      There exists proposed rfc7616 which makes algorithm configurable, work on new DIGEST features are covered by [1]. dlofthouse is it planned for [1] to target 7.1?

      [1] https://issues.jboss.org/browse/ELY-286
      [2] https://developer.jboss.org/wiki/ElytronHTTPDigestNonceHandling-Design
      [3] https://tools.ietf.org/html/rfc2617
      [4] https://tools.ietf.org/html/rfc7616
      [5] https://access.redhat.com/support/cases/#/case/01761455

      Attachments

        Issue Links

          blocks

          Tracker - Issue tracking a bug fix or improvement in another component JBEAP-4120 FIPS mode issues

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-1369 FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              rhn-support-ivassile Ilia Vassilev
              mchoma@redhat.com Martin Choma
              Darran Lofthouse
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: