You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Wenzhe Zhou (Jira)" <ji...@apache.org> on 2020/10/30 05:19:00 UTC

[jira] [Resolved] (IMPALA-10206) Avoid MD5 Digest Authorization for debug Web Server in FIPS mode

     [ https://issues.apache.org/jira/browse/IMPALA-10206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Wenzhe Zhou resolved IMPALA-10206.
----------------------------------
    Fix Version/s: Impala 4.0
       Resolution: Fixed

> Avoid MD5 Digest Authorization for debug Web Server in FIPS mode
> ----------------------------------------------------------------
>
>                 Key: IMPALA-10206
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10206
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Backend
>    Affects Versions: Impala 4.0
>            Reporter: Wenzhe Zhou
>            Assignee: Wenzhe Zhou
>            Priority: Major
>              Labels: FIPS
>             Fix For: Impala 4.0
>
>
> Class Webserver (be/src/util/webserver.h) is defined as a wrapper class for the third party  web server library - Squeasel.  Squeasel supports the HTTP Digest Access Authorization with MD5 hash algorithm (RFC 2069, RFC 2617).  Since the MD5 algorithm is not allowed in FIPS, HTTP Digest Authentication will not work with FIPS-certified^^ crypto library. In 2015, [RFC 7616|https://tools.ietf.org/html/rfc7616] replaced [RFC 2617|https://tools.ietf.org/html/rfc2617] by adding 4 new algorithms: "SHA-256", "SHA-256-sess", "SHA-512/256" and "SHA-512/256-sess". The encoding is equivalent to "MD5" and "MD5-sess" algorithms, with [MD5 hashing function|https://en.wikipedia.org/wiki/MD5] replaced with [SHA-256|https://en.wikipedia.org/wiki/SHA-256] and [SHA-512/256|https://en.wikipedia.org/wiki/SHA-512].
> In FIPS mode, it's better to support SHA-256 hash algorithm for HTTP Digest Authentication in Squeasel.
> Squeasel also use SHA-1 hash algorithms for WebSocket hands off. Since SHA-1 is soon to be deprecated, we should replace SHA-1  with SHA-512. Note that WebSocket is only available when Squeasel is compiled with DUSE_WEBSOCKET, but Impala integrate Squeasel without defining USE_WEBSOCKET so WebSocket is not supported now. It's not urgent to replace SHA-1 with SHA-512.  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org