[jira] [Work logged] (KNOX-3118) Upgrade Knox SSL Self-Signed Certificate from SHA-1 to SHA-256

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-3118?focusedWorklogId=964980&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-964980
 ]

ASF GitHub Bot logged work on KNOX-3118:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 07/Apr/25 09:18
            Start Date: 07/Apr/25 09:18
    Worklog Time Spent: 10m 
      Work Description: cxm940188 commented on code in PR #1015:
URL: https://github.com/apache/knox/pull/1015#discussion_r2030830550


##########
gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java:
##########
@@ -92,6 +92,8 @@ public interface GatewayConfig {
 
   String CREDENTIAL_STORE_ALG = "gateway.credential.store.alg";
   String DEFAULT_CREDENTIAL_STORE_ALG = "AES";
+  String CREDENTIAL_SELF_SIGNING_ALG = "gateway.credential.self-signing.alg";

Review Comment:
   reply:
   
   - For the first comment, I will make changes based on your suggestions. 
   
   - For the second point, I feel that the` gateway.self.signing.cert.alg` 
property doesn't seem better than `gateway.credential.self.signing.alg` . Of 
course, this is my personal opinion. Whether to modify it or not, I hope you 
can help me make a final choice.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 964980)
    Time Spent: 1h  (was: 50m)

> Upgrade Knox SSL Self-Signed Certificate from SHA-1 to SHA-256
> --------------------------------------------------------------
>
>                 Key: KNOX-3118
>                 URL: https://issues.apache.org/jira/browse/KNOX-3118
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 1.6.0
>            Reporter: ChenXi
>            Priority: Major
>              Labels: security
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> SHA-1, currently used in Knox's current SSL certificates, is 
> cryptographically broken. Proven collision attacks (e.g., SHAttered attack in 
> 2017) allow malicious actors to forge certificates, exposing Knox to 
> man-in-the-middle (MITM) attacks.
> Major browsers (Chrome, Firefox) and operating systems deprecated SHA-1 
> support by 2017, leading to trust warnings for SHA-1-based certificates.
> Therefore, it is necessary to upgrade the default self-signing algorithm of 
> knox from SHA1 to the more secure SHA2(e.g. SHA256).
> *Reference:*
>  * SHA-1 : [https://en.wikipedia.org/wiki/SHA-1]
>  * SHA-2:  [https://en.wikipedia.org/wiki/SHA-2]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)