You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Joh (Jira)" <ji...@apache.org> on 2021/02/24 01:53:03 UTC
[jira] [Commented] (ZOOKEEPER-3696) Support alternative algorithms
for ACL digest
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17289562#comment-17289562 ]
Joh commented on ZOOKEEPER-3696:
--------------------------------
What is this ?
On Nov 2, 2020, at 11:00 AM, Mate Szalay-Beko (Jira) <ji...@apache.org> wrote:
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mate Szalay-Beko resolved ZOOKEEPER-3696.
-----------------------------------------
Resolution: Fixed
Issue resolved by pull request 1318
[https://github.com/apache/zookeeper/pull/1318]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
> Support alternative algorithms for ACL digest
> ---------------------------------------------
>
> Key: ZOOKEEPER-3696
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3696
> Project: ZooKeeper
> Issue Type: Task
> Components: security
> Reporter: Patrick D. Hunt
> Assignee: Ling Mao
> Priority: Blocker
> Labels: pull-request-available
> Fix For: 3.7.0
>
> Time Spent: 5h 20m
> Remaining Estimate: 0h
>
> DigestAuthenticationProvider is using SHA1 which is known to be broken, eg recently:
> https://shattered.io/
> https://sha-mbles.github.io/
> etc...
> We should mark DigestAuthenticationProvider as deprecated at a minimum, perhaps even just remove it asap. The docs should also reflect this (ie don't use)
> We could replace DigestAuthenticationProvider with DigestAuthenticationProvider3 or similar (use SHA3, not SHA2 if we do so) Or perhaps a version that allows the user to select? Regardless, would be good to give a simple option to the end user.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)