You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@zookeeper.apache.org by "Patrick D. Hunt (Jira)" <ji...@apache.org> on 2020/01/12 17:57:00 UTC

[jira] [Created] (ZOOKEEPER-3696) deprecate DigestAuthenticationProvider which uses broken SHA1

Patrick D. Hunt created ZOOKEEPER-3696:
------------------------------------------

             Summary: deprecate DigestAuthenticationProvider which uses broken SHA1
                 Key: ZOOKEEPER-3696
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3696
             Project: ZooKeeper
          Issue Type: Task
          Components: security
            Reporter: Patrick D. Hunt
             Fix For: 3.6.1, 3.5.7, 3.7.0


DigestAuthenticationProvider is using SHA1 which is known to be broken, eg recently:
https://shattered.io/
https://sha-mbles.github.io/
etc...

We should mark DigestAuthenticationProvider as deprecated at a minimum, perhaps even just remove it asap. The docs should also reflect this (ie don't use)

We could replace DigestAuthenticationProvider with DigestAuthenticationProvider3 or similar (use SHA3, not SHA2 if we do so) Or perhaps a version that allows the user to select? Regardless, would be good to give a simple option to the end user.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)