-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8281561: Disable http DIGEST mechanism with MD5 and SHA-1 by default #7688
Conversation
/csr needed |
👋 Welcome back michaelm! A progress list of the required criteria for merging this PR into |
@Michael-Mc-Mahon has indicated that a compatibility and specification (CSR) request is needed for this pull request. |
@Michael-Mc-Mahon The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
I have still to add the doc update describing the system property, which will come shortly. I may suggest a change of name to the system property to better reflect its exact meaning/purpose |
Webrevs
|
Should we instead have a property to disable algorithms, whose default value would contain "MD5" by default? |
I considered that and implemented it that way at the start, but what you would end up with then is users running their code with something like: -DdisabledAlgNames="" I find that style leads to a much less explicit "opting in" than by making the user explicitly identify the deprecated algorithm by name. |
Right - but it would also allow users to opt-in to disable more algorithms by listing them in the property |
In practical terms, the only other likely candidate there is SHA-1. If that weren't the case, I'd disagree with your point. So, maybe, we could have a 2nd net property with the default disabled algorithms and in net.properties we identify MD5 only for now. Users could add to that list if they want or even specify it on the command line. I think it's potentially confusing, but maybe there is a case for adding to the disabled list. I need to think about a way to do this without subvertng the point about making the user explicitly opt in. |
Thinking about it again, I wonder if we should just deprecate SHA-1 at the same time. I think there will be less compatibility impact than with MD5, and it's basically broken as well. I don't see a reason to opt out of other algorithms at this time. |
I see - maybe we should have a security property identifying the list of algorithm that are disabled, and then a system property to reenable them? |
private static final Set<String> defDisabledAlgs = | ||
Set.of("MD5"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I'm suggesting is that the content of this set could be seeded with the value of a Security Property, defined in java.security - rather than have the default value hardcoded here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think that should work
@@ -224,6 +224,12 @@ <H2>Misc HTTP URL stream protocol handler properties</H2> | |||
property is defined, then its value will be used as the domain | |||
name.</P> | |||
</OL> | |||
<LI><P><B>{@systemProperty http.auth.digest.reEnabledAlgs}</B> (default: <none>)<BR> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello Michael, from what I understand of doc-files
directory (which is where this html file resides) the javadoc
tool considers it an unprocessed files location[1]. So would adding the systemProperty
javadoc taglet here be necessary? I think this won't end up being listed in the system properties index generated by the javadoc tool and I think this line here will just get rendered literally.
[1] https://docs.oracle.com/javase/8/docs/technotes/tools/windows/javadoc.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This actually seems to work. If you build the docs for JDK mainline, you can search for instance, for http.keepAlive.time.proxy
in the javadoc search box and it will lead you net-properties.html
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right indeed. I just checked the generated system properties index and it does list these properties and even links back to this document. In fact, I even found a mail which clearly states that this processing of @systemProperties
is supported for doc-files
https://mail.openjdk.java.net/pipermail/core-libs-dev/2018-November/056653.html
if (logger.isLoggable(PlatformLogger.Level.INFO)) { | ||
logger.info(msg + " This constraint may be relaxed by setting " + | ||
"the \"http.auth.digest.enabledDigestAlgs\" system property."); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suspect this is a typo and perhaps should have been http.auth.digest.reEnabledAlgs
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I'm going to change the name once more and will update it then.
Mailing list message from Bernd Eckenfels on net-dev: Hello, While I like the idea of the user having to explicitely specify the rexenabled legacy algorithms (as opposed to removing the defaultsdisabled) it is not the style the other algorithm policies in JCE work - so it might be confusing. But, more critically I would separate the enabling/implementing of new algorithms from disabling old ones. Especially since there needs to be changes on the server side first. (And I wonder if this can be negotiated anyway?). So why not start with a ?provide new DIGEST Mechanisms? change? Having said that, would it need to start out with disabled new mechanisms so the update won?t change the behavior? (If there is no negotiation?) Gruss On Fri, 4 Mar 2022 09:37:21 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
Thinking about it again, I wonder if we should just deprecate SHA-1 at the same time. I think there will be less compatibility impact than with MD5, and it's basically broken as well. I don't see a reason to opt out of other algorithms at this time. ------------- PR: https://git.openjdk.java.net/jdk/pull/7688 |
src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM now. It will be even nicer if the known answer tests in RFC 7616 can be included.
Suggest changing the bug title to reflect that SHA-1 is now also disabled by default, i.e. "Disable http DIGEST mechanisms with MD5 or SHA-1 by default". |
@Michael-Mc-Mahon This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 5 new commits pushed to the
Please see this link for an up-to-date comparison between the source branch of this pull request and the ➡️ To integrate this PR with the above commit message to the |
webrevs 06 & 07 have the latest changes, if anyone is just looking at the incremental changes. The main changes are new tests including the hardcoded test from RFC7616 (which has to be run using a modified JDK). |
if (session) { | ||
algorithm = algorithm.substring(0, algorithm.length() - 5); | ||
} | ||
boolean session = algorithm.endsWith ("-sess"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should that be digest.endsWith("-sess");
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, the digest field refers to the actual message digest algorithm (as known to the security libraries). The algorithm field holds the algorithm name as it is defined in RFC7616.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am confused here - because you converted algorithm
to upper case, so it should never end with -sess
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Look at line 478: The algorithm
field is reset here to be the upper case of the digest name plus the -sess suffix in lower case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doh! Somehow I'd read that as digestName = digestName + "-sess"
.
All clear now.
if (session) { | ||
algorithm = algorithm.substring(0, algorithm.length() - 5); | ||
} | ||
boolean session = algorithm.endsWith ("-sess"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doh! Somehow I'd read that as digestName = digestName + "-sess"
.
All clear now.
/integrate |
Going to push as commit 7f2a3ca.
Your commit was automatically rebased without conflicts. |
@Michael-Mc-Mahon Pushed as commit 7f2a3ca. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
Hi,
Could I get the following change reviewed please, which is to disable the MD5 message digest algorithm by default in the HTTP Digest authentication mechanism? The algorithm can be opted into by setting a new system property "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also updates the Digest authentication implementation to use some of the more secure features defined in RFC7616, such as username hashing and additional digest algorithms like SHA256 and SHA512-256.
Progress
Issues
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/7688/head:pull/7688
$ git checkout pull/7688
Update a local copy of the PR:
$ git checkout pull/7688
$ git pull https://git.openjdk.java.net/jdk pull/7688/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 7688
View PR using the GUI difftool:
$ git pr show -t 7688
Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/7688.diff