[
https://issues.apache.org/jira/browse/ZOOKEEPER-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16523512#comment-16523512
]
maoling commented on ZOOKEEPER-3069:
------------------------------------
[~JanZerebecki] look at
org.apache.zookeeper.server.auth.DigestAuthenticationProvider.generateDigest(String).
In Digest Auth Mode, it uses *username:base64(SHA-1(username:password))*,not
MD5? Am I missing something?
> document: is mutual auth with DIGEST-MD5 insecure?
> --------------------------------------------------
>
> Key: ZOOKEEPER-3069
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3069
> Project: ZooKeeper
> Issue Type: Bug
> Components: documentation
> Reporter: Jan Zerebecki
> Priority: Minor
>
> The [documentation regarding mutual ZooKeeper server to server authentication
> with
> DIGEST-MD5|https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication#Server-Servermutualauthentication-DIGEST-MD5basedauthentication]
> currently doesn't mention whether this is insecure. [DIGEST-MD5 was declared
> obsolete in 2011 due to security
> problems.|https://tools.ietf.org/html/rfc6331]
> This is in relation to whether this is an effective mitigation for
> CVE-2018-8012 AKA ZOOKEEPER-1045, as mentioned in
> [https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E].
> Would the following be a fitting addition to the documentation?:
> DIGEST-MD5 based authentication should not be relied on for authentication as
> it is insecure, it is only provided for test purposes.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
