zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "maoling (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-3069) document: is mutual auth with DIGEST-MD5 insecure?
Date Tue, 26 Jun 2018 10:01:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16523512#comment-16523512

maoling commented on ZOOKEEPER-3069:

[~JanZerebecki] look at org.apache.zookeeper.server.auth.DigestAuthenticationProvider.generateDigest(String).
In Digest Auth Mode, it uses *username:base64(SHA-1(username:password))*,not MD5? Am I
missing something?

> document: is mutual auth with DIGEST-MD5 insecure?
> --------------------------------------------------
>                 Key: ZOOKEEPER-3069
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3069
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: documentation
>            Reporter: Jan Zerebecki
>            Priority: Minor
> The [documentation regarding mutual ZooKeeper server to server authentication with DIGEST-MD5|https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication#Server-Servermutualauthentication-DIGEST-MD5basedauthentication]
currently doesn't mention whether this is insecure. [DIGEST-MD5 was declared obsolete in 2011
due to security problems.|https://tools.ietf.org/html/rfc6331]
> This is in relation to whether this is an effective mitigation for CVE-2018-8012 AKA
ZOOKEEPER-1045, as mentioned in [https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E].
> Would the following be a fitting addition to the documentation?:
> DIGEST-MD5 based authentication should not be relied on for authentication as it is insecure,
it is only provided for test purposes.

This message was sent by Atlassian JIRA

View raw message