https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #2 from Christopher Schultz <ch...@christopherschultz.net> ---
HTTP Digest Authentication [RFC 2617] practically requires the use of MD5. Yes,
there is RFC 7616 but I'm not sure how widely-supported that is among web
browsers.
Even if web browsers support it, the migration path for applications from MD5
to another digest algorithm is probably so convoluted they are more likely to
start again from scratch.
The servlet spec (6.1) 13.6.2 says "Servlet containers SHOULD support
HTTP_DIGEST authentication."
Because of this, Tomcat SHOULD (IMHO: must) continue to support both
HTTP_DIGEST and, because of the above, MD5.
If you are failing a security audit because Tomcat is initializing a prohibited
algorithm *but not actually using it*, then I think a patch that uses something
like a system property to cause Tomcat to skip initializing an MD5
MessageDigest is reasonable.
But Tomcat itself is not using MD5 for anything it's not configured by its user
to actually use, so the default configuration is indeed safe.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
