You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "F Carlsen (JIRA)" <ji...@apache.org> on 2011/02/06 09:31:30 UTC
[jira] Created: (HTTPCLIENT-1053) Security issue - DigestScheme
uses constant nonce count value
Security issue - DigestScheme uses constant nonce count value
-------------------------------------------------------------
Key: HTTPCLIENT-1053
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1053
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpAuth, HttpClient
Affects Versions: 4.1 Final, 3.1 Final, 4.2 Final
Environment: All configurations using HTTP Digest Scheme for authentication
Reporter: F Carlsen
The nonce count value in DigestScheme is static (set to 00000001) and never changes. (also seen as comment in said file).
This means that it fails against servers that correctly detect man-in-the-middle or replay attacks, leading to additional 401 requests (every second time), or such servers must be configured to turn such checks off (which is either poor security or poor for performance).
I suggest that at minimum, this count is incremented for every call to DigestScheme#createDigest. It should also be an instance variable instead of a static, as it really relates to the challenge (assuming cases where instances are cached for reuse). AtomicInteger is a good choice for implementing this counter.
See RFC 2617 chapters 3.2.2 and 3.2.3
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Resolved: (HTTPCLIENT-1053) Security issue - DigestScheme
uses constant nonce count value
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski resolved HTTPCLIENT-1053.
-------------------------------------------
Resolution: Fixed
Patch checked in.
Oleg
> Security issue - DigestScheme uses constant nonce count value
> -------------------------------------------------------------
>
> Key: HTTPCLIENT-1053
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1053
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpAuth, HttpClient
> Affects Versions: 4.1 Final
> Environment: All configurations using HTTP Digest Scheme for authentication
> Reporter: F Carlsen
> Labels: security
> Fix For: 4.2 Final
>
> Attachments: HTTPCLIENT-1053.patch
>
>
> The nonce count value in DigestScheme is static (set to 00000001) and never changes. (also seen as comment in said file).
> This means that it fails against servers that correctly detect man-in-the-middle or replay attacks, leading to additional 401 requests (every second time), or such servers must be configured to turn such checks off (which is either poor security or poor for performance).
> I suggest that at minimum, this count is incremented for every call to DigestScheme#createDigest. It should also be an instance variable instead of a static, as it really relates to the challenge (assuming cases where instances are cached for reuse). AtomicInteger is a good choice for implementing this counter.
> See RFC 2617 chapters 3.2.2 and 3.2.3
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Updated: (HTTPCLIENT-1053) Security issue - DigestScheme
uses constant nonce count value
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski updated HTTPCLIENT-1053:
------------------------------------------
Affects Version/s: (was: 4.2 Final)
(was: 3.1 Final)
Fix Version/s: 4.2 Final
> Security issue - DigestScheme uses constant nonce count value
> -------------------------------------------------------------
>
> Key: HTTPCLIENT-1053
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1053
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpAuth, HttpClient
> Affects Versions: 4.1 Final
> Environment: All configurations using HTTP Digest Scheme for authentication
> Reporter: F Carlsen
> Labels: security
> Fix For: 4.2 Final
>
>
> The nonce count value in DigestScheme is static (set to 00000001) and never changes. (also seen as comment in said file).
> This means that it fails against servers that correctly detect man-in-the-middle or replay attacks, leading to additional 401 requests (every second time), or such servers must be configured to turn such checks off (which is either poor security or poor for performance).
> I suggest that at minimum, this count is incremented for every call to DigestScheme#createDigest. It should also be an instance variable instead of a static, as it really relates to the challenge (assuming cases where instances are cached for reuse). AtomicInteger is a good choice for implementing this counter.
> See RFC 2617 chapters 3.2.2 and 3.2.3
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-1053) Security issue - DigestScheme
uses constant nonce count value
Posted by "F Carlsen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12992039#comment-12992039 ]
F Carlsen commented on HTTPCLIENT-1053:
---------------------------------------
Yes, that works
> Security issue - DigestScheme uses constant nonce count value
> -------------------------------------------------------------
>
> Key: HTTPCLIENT-1053
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1053
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpAuth, HttpClient
> Affects Versions: 4.1 Final
> Environment: All configurations using HTTP Digest Scheme for authentication
> Reporter: F Carlsen
> Labels: security
> Fix For: 4.2 Final
>
> Attachments: HTTPCLIENT-1053.patch
>
>
> The nonce count value in DigestScheme is static (set to 00000001) and never changes. (also seen as comment in said file).
> This means that it fails against servers that correctly detect man-in-the-middle or replay attacks, leading to additional 401 requests (every second time), or such servers must be configured to turn such checks off (which is either poor security or poor for performance).
> I suggest that at minimum, this count is incremented for every call to DigestScheme#createDigest. It should also be an instance variable instead of a static, as it really relates to the challenge (assuming cases where instances are cached for reuse). AtomicInteger is a good choice for implementing this counter.
> See RFC 2617 chapters 3.2.2 and 3.2.3
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Updated: (HTTPCLIENT-1053) Security issue - DigestScheme
uses constant nonce count value
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski updated HTTPCLIENT-1053:
------------------------------------------
Attachment: HTTPCLIENT-1053.patch
DIGEST auth algorithm implementation in HttpClient has not changed much since 2003.
Could you please review / test the patch attached to this issue and let me know if it fixes the problem for you?
Oleg
> Security issue - DigestScheme uses constant nonce count value
> -------------------------------------------------------------
>
> Key: HTTPCLIENT-1053
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1053
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpAuth, HttpClient
> Affects Versions: 4.1 Final
> Environment: All configurations using HTTP Digest Scheme for authentication
> Reporter: F Carlsen
> Labels: security
> Fix For: 4.2 Final
>
> Attachments: HTTPCLIENT-1053.patch
>
>
> The nonce count value in DigestScheme is static (set to 00000001) and never changes. (also seen as comment in said file).
> This means that it fails against servers that correctly detect man-in-the-middle or replay attacks, leading to additional 401 requests (every second time), or such servers must be configured to turn such checks off (which is either poor security or poor for performance).
> I suggest that at minimum, this count is incremented for every call to DigestScheme#createDigest. It should also be an instance variable instead of a static, as it really relates to the challenge (assuming cases where instances are cached for reuse). AtomicInteger is a good choice for implementing this counter.
> See RFC 2617 chapters 3.2.2 and 3.2.3
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org