Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Better hash algorithm in FingerprintTrustManagerFactory

See original GitHub issue

FingerprintTrustManagerFactory checks if a certificate is trusted by comparing its SHA-1 hash to a list of pre-configured ones:

https://github.com/netty/netty/blob/0cde4d9cb4d19ddc0ecafc5be7c5f7c781a1f6e9/handler/src/main/java/io/netty/handler/ssl/util/FingerprintTrustManagerFactory.java#L85

Unfortunately, nowadays SHA-1 is considered insecure. The issue was reported by LGTM.

I see the following ways to fix it:

  1. Update FingerprintTrustManagerFactory to use a stronger algorithm such as SHA-512. Unfortunately, most likely it’ll break applications that pass a SHA-1 hash to the class.
  2. Deprecate FingerprintTrustManagerFactory and add a new implementation that use a stronger algorithm.
  3. Updated FingerprintTrustManagerFactory to determine a hash algorithm based on a length of a hash passed to the constructor. If a caller passes a SHA-1 hash, the class can also print a warning.

Please let me know if one of the options above is fine (or, you see a better option), and I’ll open a pull request.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:6 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
artem-smotrakovcommented, Oct 13, 2020

I like the idea with a builder and deprecating only the public constructor suggested by @trustin

FingerprintTrustManagerFactory f =
  FingerprintTrustManagerFactory
    .builder("SHA256") // Always require the algorithm name
    .fingerprint("deadbeef...")
    .fingerprint("cafecafe...")
    .build();

If no objections, I’ll implement this logic then.

1reaction
trustincommented, Oct 13, 2020

I don’t see a reason to introduce a new TrustManagerFactory implementation class. We could deprecate the public constructors in favor of builders and static factory methods. e.g.

FingerprintTrustManagerFactory f =
  FingerprintTrustManagerFactory
    .builder("SHA256") // Always require the algorithm name
    .fingerprint("deadbeef...")
    .fingerprint("cafecafe...")
    .build();

The public constructors could call the internal constructor that passes the message digest function, e.g.

@Deprecated
public FingerprintTrustManagerFactory(String... fingerprints) {
    this(FingerprintTrustManagerFactory::sha1Fingerprint, fingerprints);
}

// Called by the builder or the legacy public constructors.
// The example uses Java 8 Function but we can define a dedicated interface if necessary.
FingerprintTrustManagerFactory(
    Function<? super X509Certificate, byte[]> fingerprintFunc,
    String... fingerprints) {
    ...
}

We could also consider implementing more versatile TrustManagerFactory by extracting the verification logic out of the TrustManagerFactory, e.g.

SomeTrustManagerFactory
  .builder()
  .add(CertificateMatchers.fingerprint("SHA256", "deadbeef..."))
  .add("bar.foo.com", CertificateMatchers.strict())
  .add("*.foo.com", CertificateMatchers.any());
  .build();
Read more comments on GitHub >

github_iconTop Results From Across the Web

netty/FingerprintTrustManagerFactory.java at 4.1 - GitHub
* It is recommended to specify a stronger hash algorithm, such as SHA-256,. * by calling {@link FingerprintTrustManagerFactory#builder(String)} method.
Read more >
FingerprintTrustManagerFactory (Netty API Reference (4.1.85 ...
Creates a builder for FingerprintTrustManagerFactory . Parameters: algorithm - a hash algorithm; Returns: a builder. engineInit. protected ...
Read more >
Frequently Asked Questions - BetterHash
How does BetterHash work? BetterHash is a smart interface for the most popular cryptocurrency miners on the market. What it does:.
Read more >
Certificate encryption and hash algorithm [duplicate]
I was creating self-signed certificate with OpenSSL and had to choose encryption and hash algorithm. Are those algorithms used for ...
Read more >
XAMPP SSL Certificate better hash security - Stack Overflow
I get a lot of SHA-1 warnings in the firebug console and I think it's because of using SSL which has sha1 as...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Illegal reflective access by io.netty.util.internal.ReflectionUtil to DirectByteBuffer

Next page

native-image compilation of epoll transport fails