hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "F Carlsen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HTTPCLIENT-1053) Security issue - DigestScheme uses constant nonce count value
Date Tue, 08 Feb 2011 16:45:57 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12992039#comment-12992039

F Carlsen commented on HTTPCLIENT-1053:

Yes, that works

> Security issue - DigestScheme uses constant nonce count value
> -------------------------------------------------------------
>                 Key: HTTPCLIENT-1053
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1053
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpAuth, HttpClient
>    Affects Versions: 4.1 Final
>         Environment: All configurations using HTTP Digest Scheme for authentication
>            Reporter: F Carlsen
>              Labels: security
>             Fix For: 4.2 Final
>         Attachments: HTTPCLIENT-1053.patch
> The nonce count value in DigestScheme is static (set to 00000001) and never changes.
 (also seen as comment in said file).
> This means that it fails against servers that correctly detect man-in-the-middle or replay
attacks, leading to additional 401 requests (every second time), or such servers must be configured
to turn such checks off (which is either poor security or poor for performance).
> I suggest that at minimum, this count is incremented for every call to DigestScheme#createDigest.
 It should also be an instance variable instead of a static, as it really relates to the challenge
(assuming cases where instances are cached for reuse).  AtomicInteger is a good choice for
implementing this counter.
> See RFC 2617 chapters 3.2.2 and 3.2.3

This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message