You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@zookeeper.apache.org by "maoling (Jira)" <ji...@apache.org> on 2020/10/21 02:59:00 UTC

[jira] [Updated] (ZOOKEEPER-3696) Support alternative algorithms for ACL digest

     [ https://issues.apache.org/jira/browse/ZOOKEEPER-3696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

maoling updated ZOOKEEPER-3696:
-------------------------------
    Summary: Support alternative algorithms for ACL digest  (was: support multiple algorithms for ACL digest)

> Support alternative algorithms for ACL digest
> ---------------------------------------------
>
>                 Key: ZOOKEEPER-3696
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3696
>             Project: ZooKeeper
>          Issue Type: Task
>          Components: security
>            Reporter: Patrick D. Hunt
>            Assignee: maoling
>            Priority: Blocker
>              Labels: pull-request-available
>             Fix For: 3.7.0
>
>          Time Spent: 4h 40m
>  Remaining Estimate: 0h
>
> DigestAuthenticationProvider is using SHA1 which is known to be broken, eg recently:
> https://shattered.io/
> https://sha-mbles.github.io/
> etc...
> We should mark DigestAuthenticationProvider as deprecated at a minimum, perhaps even just remove it asap. The docs should also reflect this (ie don't use)
> We could replace DigestAuthenticationProvider with DigestAuthenticationProvider3 or similar (use SHA3, not SHA2 if we do so) Or perhaps a version that allows the user to select? Regardless, would be good to give a simple option to the end user.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)