Skip to content

Commit

Permalink
8281561: Disable http DIGEST mechanism with MD5 and SHA-1 by default
Browse files Browse the repository at this point in the history
Reviewed-by: weijun, dfuchs
  • Loading branch information
Michael-Mc-Mahon committed Mar 28, 2022
1 parent 0c472c8 commit 7f2a3ca
Show file tree
Hide file tree
Showing 14 changed files with 571 additions and 95 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,14 @@ <H2>Misc HTTP URL stream protocol handler properties</H2>
property is defined, then its value will be used as the domain
name.</P>
</OL>
<LI><P><B>{@systemProperty http.auth.digest.reEnabledAlgorithms}</B> (default: &lt;none&gt;)<BR>
By default, certain message digest algorithms are disabled for use in HTTP Digest
authentication due to their proven security limitations. This only applies to proxy
authentication and plain-text HTTP server authentication. Disabled algorithms are still
usable for HTTPS server authentication. The default list of disabled algorithms is specified
in the {@code java.security} properties file and currently comprises {@code MD5} and
{@code SHA-1}. If it is still required to use one of these algorithms, then they can be
re-enabled by setting this property to a comma separated list of the algorithm names.</P>
<LI><P><B>{@systemProperty jdk.https.negotiate.cbt}</B> (default: &lt;never&gt;)<BR>
This controls the generation and sending of TLS channel binding tokens (CBT) when Kerberos
or the Negotiate authentication scheme using Kerberos are employed over HTTPS with
Expand Down
Loading

1 comment on commit 7f2a3ca

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.