zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "maoling (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-3069) document: is mutual auth with DIGEST-MD5 insecure?
Date Thu, 28 Jun 2018 11:29:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16526222#comment-16526222

maoling commented on ZOOKEEPER-3069:

too embarrassed am I.It seems that I don't get your idea.

> document: is mutual auth with DIGEST-MD5 insecure?
> --------------------------------------------------
>                 Key: ZOOKEEPER-3069
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3069
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: documentation
>            Reporter: Jan Zerebecki
>            Priority: Minor
> The [documentation regarding mutual ZooKeeper server to server authentication with DIGEST-MD5|https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication#Server-Servermutualauthentication-DIGEST-MD5basedauthentication]
currently doesn't mention whether this is insecure. [DIGEST-MD5 was declared obsolete in 2011
due to security problems.|https://tools.ietf.org/html/rfc6331]
> This is in relation to whether this is an effective mitigation for CVE-2018-8012 AKA
ZOOKEEPER-1045, as mentioned in [https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E].
> Would the following be a fitting addition to the documentation?:
> DIGEST-MD5 based authentication should not be relied on for authentication as it is insecure,
it is only provided for test purposes.

This message was sent by Atlassian JIRA

View raw message