zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jan Zerebecki (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ZOOKEEPER-3069) document: is mutual auth with DIGEST-MD5 insecure?
Date Mon, 25 Jun 2018 17:13:00 GMT
Jan Zerebecki created ZOOKEEPER-3069:

             Summary: document: is mutual auth with DIGEST-MD5 insecure?
                 Key: ZOOKEEPER-3069
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3069
             Project: ZooKeeper
          Issue Type: Bug
          Components: documentation
            Reporter: Jan Zerebecki

The [documentation regarding mutual ZooKeeper server to server authentication with DIGEST-MD5|https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication#Server-Servermutualauthentication-DIGEST-MD5basedauthentication]
currently doesn't mention whether this is insecure. [DIGEST-MD5 was declared obsolete in 2011
due to security problems.|https://tools.ietf.org/html/rfc6331]

This is in relation to whether this is an effective mitigation for CVE-2018-8012 AKA ZOOKEEPER-1045,
as mentioned in [https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E].

Would the following be a fitting addition to the documentation?:

DIGEST-MD5 based authentication should not be relied on for authentication as it is insecure,
it is only provided for test purposes.


This message was sent by Atlassian JIRA

View raw message