On Mon, 7 Mar 2022 20:35:13 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> Michael McMahon has updated the pull request incrementally with two >> additional commits since the last revision: >> >> - update >> - update after first review round > > src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java > line 514: > >> 512: if (getAuthType() == AuthCacheValue.Type.Server && >> 513: getProtocolScheme().equals("https")) { >> 514: // HTTPS server authentication can use any algorithm > > A more security conscious user may want to disable MD5 digest authentication, > even when used over HTTPS, even though the risks are far less than when used > over HTTP. Is there a way to do that? There isn't a way to do that currently. I'd prefer not to further complicate the configuration to allow it. It would probably be a lot simpler to just disable MD5 across the board for proxy and server instead? We're including SHA-1 in that list now as well by the way. ------------- PR: https://git.openjdk.java.net/jdk/pull/7688