[jira] [Created] (ZOOKEEPER-3696) deprecate DigestAuthenticationProvider which uses broken SHA1

Patrick D. Hunt (Jira) Sun, 12 Jan 2020 09:57:27 -0800

Patrick D. Hunt created ZOOKEEPER-3696:
------------------------------------------


             Summary: deprecate DigestAuthenticationProvider which uses broken 
SHA1
                 Key: ZOOKEEPER-3696
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3696
             Project: ZooKeeper
          Issue Type: Task
          Components: security
            Reporter: Patrick D. Hunt
             Fix For: 3.6.1, 3.5.7, 3.7.0


DigestAuthenticationProvider is using SHA1 which is known to be broken, eg 
recently:
https://shattered.io/
https://sha-mbles.github.io/
etc...

We should mark DigestAuthenticationProvider as deprecated at a minimum, perhaps 
even just remove it asap. The docs should also reflect this (ie don't use)

We could replace DigestAuthenticationProvider with 
DigestAuthenticationProvider3 or similar (use SHA3, not SHA2 if we do so) Or 
perhaps a version that allows the user to select? Regardless, would be good to 
give a simple option to the end user.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (ZOOKEEPER-3696) deprecate DigestAuthenticationProvider which uses broken SHA1

Reply via email to