zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "maoling (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (ZOOKEEPER-3069) document: is mutual auth with DIGEST-MD5 insecure?
Date Tue, 26 Jun 2018 09:58:00 GMT

     [ https://issues.apache.org/jira/browse/ZOOKEEPER-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

maoling updated ZOOKEEPER-3069:
-------------------------------
    Attachment: screenshot-1.png

> document: is mutual auth with DIGEST-MD5 insecure?
> --------------------------------------------------
>
>                 Key: ZOOKEEPER-3069
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3069
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: documentation
>            Reporter: Jan Zerebecki
>            Priority: Minor
>         Attachments: screenshot-1.png
>
>
> The [documentation regarding mutual ZooKeeper server to server authentication with DIGEST-MD5|https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication#Server-Servermutualauthentication-DIGEST-MD5basedauthentication]
currently doesn't mention whether this is insecure. [DIGEST-MD5 was declared obsolete in 2011
due to security problems.|https://tools.ietf.org/html/rfc6331]
> This is in relation to whether this is an effective mitigation for CVE-2018-8012 AKA
ZOOKEEPER-1045, as mentioned in [https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E].
> Would the following be a fitting addition to the documentation?:
> DIGEST-MD5 based authentication should not be relied on for authentication as it is insecure,
it is only provided for test purposes.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message