You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Patrick D. Hunt (Jira)" <ji...@apache.org> on 2020/01/12 17:57:00 UTC
[jira] [Created] (ZOOKEEPER-3696) deprecate
DigestAuthenticationProvider which uses broken SHA1
Patrick D. Hunt created ZOOKEEPER-3696:
------------------------------------------
Summary: deprecate DigestAuthenticationProvider which uses broken SHA1
Key: ZOOKEEPER-3696
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3696
Project: ZooKeeper
Issue Type: Task
Components: security
Reporter: Patrick D. Hunt
Fix For: 3.6.1, 3.5.7, 3.7.0
DigestAuthenticationProvider is using SHA1 which is known to be broken, eg recently:
https://shattered.io/
https://sha-mbles.github.io/
etc...
We should mark DigestAuthenticationProvider as deprecated at a minimum, perhaps even just remove it asap. The docs should also reflect this (ie don't use)
We could replace DigestAuthenticationProvider with DigestAuthenticationProvider3 or similar (use SHA3, not SHA2 if we do so) Or perhaps a version that allows the user to select? Regardless, would be good to give a simple option to the end user.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)