Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-5949

Review default security parameters (use PBKDF2, stronger cryptomanager settings, etc)


    • Type: Task
    • Status: Done
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: security
    • Labels:


      Many of the default security settings in DJ have remained unchanged for many years, despite weaknesses being discovered in certain algorithms and also the advancement of best practices.

      This issue can be closed once we have reviewed the default security settings in DJ in order to make sure that they are aligned with current best practices. In addition, we should put in place a process requiring us to perform periodic reviews.

      As an example, the CryptoManager default settings look a little out of date:

      • default "digest-algorithm" is SHA-1
      • default "mac-algorithm" is HmacSHA1
      • default cipher key lengths are 128
      • etc..

      Comment from Neil Madden:

      It would be good to update those. I can help with recommendations, but would need to discuss details - e.g., we could swap out AES/CBC/PKCS5Padding for AES/GCM/NoPadding but that also requires the code to supply a GCMParameterSpec vs an IVParameterSpec, so might not be a simple swap.


      Jean-Noël Rouvignac also pointed to this part of the code: https://stash.forgerock.org/projects/OPENDJ/repos/opendj/browse/opendj-server/src/main/java/org/opends/server/crypto/CryptoManagerImpl.java#1543


          Issue Links



              • Assignee:
                gaetan Gaetan Boismal [X] (Inactive)
                matthew Matthew Swift
                Dev Assignee:
                Gaetan Boismal [X] (Inactive)
                QA Assignee:
                Ondrej Fuchsik
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: