Many of the default security settings in DJ have remained unchanged for many years, despite weaknesses being discovered in certain algorithms and also the advancement of best practices.
This issue can be closed once we have reviewed the default security settings in DJ in order to make sure that they are aligned with current best practices. In addition, we should put in place a process requiring us to perform periodic reviews.
As an example, the CryptoManager default settings look a little out of date:
- default "digest-algorithm" is SHA-1
- default "mac-algorithm" is HmacSHA1
- default cipher key lengths are 128
- etc..
Comment from Neil Madden:
It would be good to update those. I can help with recommendations, but would need to discuss details - e.g., we could swap out AES/CBC/PKCS5Padding for AES/GCM/NoPadding but that also requires the code to supply a GCMParameterSpec vs an IVParameterSpec, so might not be a simple swap.
Jean-Noël Rouvignac also pointed to this part of the code: https://stash.forgerock.org/projects/OPENDJ/repos/opendj/browse/opendj-server/src/main/java/org/opends/server/crypto/CryptoManagerImpl.java#1543
- caused
-
OPENDJ-6824 Cannot import symmetric keys on older servers in a mixed version topology
-
- Done
-
- is related to
-
OPENDJ-6389 Reconsider fingerprint certificate mapper settings
-
- Done
-
- is required by
-
OPENDJ-6577 Create profile to decrease security settings of new server joining an existing topology
-
- Done
-
- relates to
-
-
- Dev backlog
-
- links to
- Wiki Page
-
Wiki Page Loading...