[
https://issues.apache.org/jira/browse/MYFACES-4726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18016611#comment-18016611
]
Volodymyr Siedlecki commented on MYFACES-4726:
----------------------------------------------
It turns out that SHA256DRBG is not available on all JDKs. I don' think it
should be the default.
SHA1PRNG is still used by Tomcat, so I think there's no rush to move to
something stronger just yet.
Closing this for now, but perhaps we can revisit it.
> Update to a Stronger Pseudo-Random Number Generator (i.e move way from
> SHA1PRNG)
> --------------------------------------------------------------------------------
>
> Key: MYFACES-4726
> URL: https://issues.apache.org/jira/browse/MYFACES-4726
> Project: MyFaces Core
> Issue Type: Bug
> Reporter: Volodymyr Siedlecki
> Priority: Major
>
> We currently use SHA1PRNG for
> *o.a.m.RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM_ALGORITM* and
> *o.a.m.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_ALGORITHM.*
> However, I've noticed it's based on the SHA1 Hash Algorithm which is no
> longer recommended.
> SHA256DRBG looks to be a common replacement, though it is a bit more
> computation intensive.
> I propose updating the existing SHA1PRNG references in 4.1 and 5.0 to
> SHA256DRBG?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
