MD5 removing?

> Hi,
>
> Following a recent "distribution policy : make .md5 optional" thread at
> [hidden email] and looking at https://en.wikipedia.org/wiki/MD5
>
> "Although MD5 was initially designed to be used as a cryptographic hash
> function <https://en.wikipedia.org/wiki/Cryptographic_hash_function>, it
> has been found to suffer from extensive vulnerabilities. It can still be
> used as a checksum <https://en.wikipedia.org/wiki/Checksum> to verify
> data integrity <https://en.wikipedia.org/wiki/Data_integrity>, but only
> against unintentional corruption."
>
> I was wondering so I checked and we no longer use MD5 anywhere but for
> last usable ciphers in Catalina ofbiz-component.xml
>
> I copied that recently from [1] and read now at [2] that MD5 is still
> used, though still almost at the end of the possible default ciphers.
>
> I also read at [3] "HOW TO -- Disable weak ciphers in Tomcat 7 & 8" how to
> used only nowadays reliable ciphers
>
> Maybe we could ask Tomcat user ML for advice, but reading
> https://wiki.apache.org/tomcat/Security/Ciphers it seems it's a tradeoff
> and we will get the same answer from the ML.
>
> What are your opinions? Should we follow [3] suggestion or let it as is
> OOTB and just warn users about that in a comment? Note that [4] is really
> complete and interesting, MD5 as a cypher is not recommended there.
>
> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html
>
> [2] http://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>
> [3] https://s.apache.org/h2vH
>
> [4] https://wiki.mozilla.org/Security/Server_Side_TLS
>
> Jacques
>

> Hi Jacques,
>
> Doesn't the !MD5 mean Tomcat and OFBiz's default configuration is to *not*
> allow MD5 even if a client requests it? So I think we're OK already.
>
> Is it possible for us to leave out the ciphers property from OFBiz
> altogether, so Tomcat's default rules would come into play, and as they
> evolve over time OFBiz would naturally track them, without us having to
> maintain our own copy?
>
> Cheers
>
> Paul Foxworthy
>
>
> On 14 February 2018 at 00:03, Jacques Le Roux <[hidden email]>
> wrote:
>
>> Hi,
>>
>> Following a recent "distribution policy : make .md5 optional" thread at
>> [hidden email] and looking at https://en.wikipedia.org/wiki/MD5
>>
>> "Although MD5 was initially designed to be used as a cryptographic hash
>> function <https://en.wikipedia.org/wiki/Cryptographic_hash_function>, it
>> has been found to suffer from extensive vulnerabilities. It can still be
>> used as a checksum <https://en.wikipedia.org/wiki/Checksum> to verify
>> data integrity <https://en.wikipedia.org/wiki/Data_integrity>, but only
>> against unintentional corruption."
>>
>> I was wondering so I checked and we no longer use MD5 anywhere but for
>> last usable ciphers in Catalina ofbiz-component.xml
>>
>> I copied that recently from [1] and read now at [2] that MD5 is still
>> used, though still almost at the end of the possible default ciphers.
>>
>> I also read at [3] "HOW TO -- Disable weak ciphers in Tomcat 7 & 8" how to
>> used only nowadays reliable ciphers
>>
>> Maybe we could ask Tomcat user ML for advice, but reading
>> https://wiki.apache.org/tomcat/Security/Ciphers it seems it's a tradeoff
>> and we will get the same answer from the ML.
>>
>> What are your opinions? Should we follow [3] suggestion or let it as is
>> OOTB and just warn users about that in a comment? Note that [4] is really
>> complete and interesting, MD5 as a cypher is not recommended there.
>>
>> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html
>>
>> [2] http://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>>
>> [3] https://s.apache.org/h2vH
>>
>> [4] https://wiki.mozilla.org/Security/Server_Side_TLS
>>
>> Jacques
>>
>
>

> Thanks Paul,
>
> It did not occur to me that the ! in MD5 was to prevent the use of MD5 :)
>
> I must say that the syntax is not explained in Tomcat doc (or at least I could not find it, even Googling everywhere)
>
> Anyway I tried https://www.ssllabs.com/ssltest/analyze.html?d=demo-trunk.ofbiz.apache.org
>
> And I can confirm that MD5 and the other weak ciphers are not used and we are safe (good results and a 90% for ciphers)
>
> About using Tomcat default, yes I plenty agree and that's what I wanted to do initially but did not because did not understand the ! meaning
>
> I'd do that in trunk and backport
>
> Cheers
>
> Jacques
>
>
> Le 14/02/2018 à 07:00, Paul Foxworthy a écrit :
>> Hi Jacques,
>>
>> Doesn't the !MD5 mean Tomcat and OFBiz's default configuration is to *not*
>> allow MD5 even if a client requests it? So I think we're OK already.
>>
>> Is it possible for us to leave out the ciphers property from OFBiz
>> altogether, so Tomcat's default rules would come into play, and as they
>> evolve over time OFBiz would naturally track them, without us having to
>> maintain our own copy?
>>
>> Cheers
>>
>> Paul Foxworthy
>>
>>
>> On 14 February 2018 at 00:03, Jacques Le Roux <[hidden email]>
>> wrote:
>>
>>> Hi,
>>>
>>> Following a recent "distribution policy : make .md5 optional" thread at
>>> [hidden email] and looking at https://en.wikipedia.org/wiki/MD5
>>>
>>> "Although MD5 was initially designed to be used as a cryptographic hash
>>> function <https://en.wikipedia.org/wiki/Cryptographic_hash_function>, it
>>> has been found to suffer from extensive vulnerabilities. It can still be
>>> used as a checksum <https://en.wikipedia.org/wiki/Checksum> to verify
>>> data integrity <https://en.wikipedia.org/wiki/Data_integrity>, but only
>>> against unintentional corruption."
>>>
>>> I was wondering so I checked and we no longer use MD5 anywhere but for
>>> last usable ciphers in Catalina ofbiz-component.xml
>>>
>>> I copied that recently from [1] and read now at [2] that MD5 is still
>>> used, though still almost at the end of the possible default ciphers.
>>>
>>> I also read at [3] "HOW TO -- Disable weak ciphers in Tomcat 7 & 8" how to
>>> used only nowadays reliable ciphers
>>>
>>> Maybe we could ask Tomcat user ML for advice, but reading
>>> https://wiki.apache.org/tomcat/Security/Ciphers it seems it's a tradeoff
>>> and we will get the same answer from the ML.
>>>
>>> What are your opinions? Should we follow [3] suggestion or let it as is
>>> OOTB and just warn users about that in a comment? Note that [4] is really
>>> complete and interesting, MD5 as a cypher is not recommended there.
>>>
>>> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html
>>>
>>> [2] http://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>>>
>>> [3] https://s.apache.org/h2vH
>>>
>>> [4] https://wiki.mozilla.org/Security/Server_Side_TLS
>>>
>>> Jacques
>>>
>>
>>
>
>

> Done with OFBIZ-10223
>
> Jacques
>
>
>
> Le 15/02/2018 à 15:32, Jacques Le Roux a écrit :
>
>> Thanks Paul,
>>
>> It did not occur to me that the ! in MD5 was to prevent the use of MD5 :)
>>
>> I must say that the syntax is not explained in Tomcat doc (or at least I
>> could not find it, even Googling everywhere)
>>
>> Anyway I tried https://www.ssllabs.com/ssltest/analyze.html?d=demo-trunk.
>> ofbiz.apache.org
>>
>> And I can confirm that MD5 and the other weak ciphers are not used and we
>> are safe (good results and a 90% for ciphers)
>>
>> About using Tomcat default, yes I plenty agree and that's what I wanted
>> to do initially but did not because did not understand the ! meaning
>>
>> I'd do that in trunk and backport
>>
>> Cheers
>>
>> Jacques
>>
>>
>> Le 14/02/2018 à 07:00, Paul Foxworthy a écrit :
>>
>>> Hi Jacques,
>>>
>>> Doesn't the !MD5 mean Tomcat and OFBiz's default configuration is to
>>> *not*
>>> allow MD5 even if a client requests it? So I think we're OK already.
>>>
>>> Is it possible for us to leave out the ciphers property from OFBiz
>>> altogether, so Tomcat's default rules would come into play, and as they
>>> evolve over time OFBiz would naturally track them, without us having to
>>> maintain our own copy?
>>>
>>> Cheers
>>>
>>> Paul Foxworthy
>>>
>>>
>>> On 14 February 2018 at 00:03, Jacques Le Roux <
>>> [hidden email]>
>>> wrote:
>>>
>>> Hi,
>>>>
>>>> Following a recent "distribution policy : make .md5 optional" thread at
>>>> [hidden email] and looking at https://en.wikipedia.org/wiki/MD5
>>>>
>>>> "Although MD5 was initially designed to be used as a cryptographic hash
>>>> function <https://en.wikipedia.org/wiki/Cryptographic_hash_function>,
>>>> it
>>>> has been found to suffer from extensive vulnerabilities. It can still be
>>>> used as a checksum <https://en.wikipedia.org/wiki/Checksum> to verify
>>>> data integrity <https://en.wikipedia.org/wiki/Data_integrity>, but only
>>>> against unintentional corruption."
>>>>
>>>> I was wondering so I checked and we no longer use MD5 anywhere but for
>>>> last usable ciphers in Catalina ofbiz-component.xml
>>>>
>>>> I copied that recently from [1] and read now at [2] that MD5 is still
>>>> used, though still almost at the end of the possible default ciphers.
>>>>
>>>> I also read at [3] "HOW TO -- Disable weak ciphers in Tomcat 7 & 8" how
>>>> to
>>>> used only nowadays reliable ciphers
>>>>
>>>> Maybe we could ask Tomcat user ML for advice, but reading
>>>> https://wiki.apache.org/tomcat/Security/Ciphers it seems it's a
>>>> tradeoff
>>>> and we will get the same answer from the ML.
>>>>
>>>> What are your opinions? Should we follow [3] suggestion or let it as is
>>>> OOTB and just warn users about that in a comment? Note that [4] is
>>>> really
>>>> complete and interesting, MD5 as a cypher is not recommended there.
>>>>
>>>> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html
>>>>
>>>> [2] http://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>>>>
>>>> [3] https://s.apache.org/h2vH
>>>>
>>>> [4] https://wiki.mozilla.org/Security/Server_Side_TLS
>>>>
>>>> Jacques
>>>>
>>>>
>>>
>>>
>>
>>
>

> Thanks Jacques.
>
> I bet it is the OpenSSL syntax which is documented here:
> https://www.openssl.org/docs/man1.0.2/apps/ciphers.html .
>
> Cheers
>
> Paul Foxworthy
>
>
> On 16 February 2018 at 01:43, Jacques Le Roux <[hidden email]>
> wrote:
>
>> Done with OFBIZ-10223
>>
>> Jacques
>>
>>
>>
>> Le 15/02/2018 à 15:32, Jacques Le Roux a écrit :
>>
>>> Thanks Paul,
>>>
>>> It did not occur to me that the ! in MD5 was to prevent the use of MD5 :)
>>>
>>> I must say that the syntax is not explained in Tomcat doc (or at least I
>>> could not find it, even Googling everywhere)
>>>
>>> Anyway I tried https://www.ssllabs.com/ssltest/analyze.html?d=demo-trunk.
>>> ofbiz.apache.org
>>>
>>> And I can confirm that MD5 and the other weak ciphers are not used and we
>>> are safe (good results and a 90% for ciphers)
>>>
>>> About using Tomcat default, yes I plenty agree and that's what I wanted
>>> to do initially but did not because did not understand the ! meaning
>>>
>>> I'd do that in trunk and backport
>>>
>>> Cheers
>>>
>>> Jacques
>>>
>>>
>>> Le 14/02/2018 à 07:00, Paul Foxworthy a écrit :
>>>
>>>> Hi Jacques,
>>>>
>>>> Doesn't the !MD5 mean Tomcat and OFBiz's default configuration is to
>>>> *not*
>>>> allow MD5 even if a client requests it? So I think we're OK already.
>>>>
>>>> Is it possible for us to leave out the ciphers property from OFBiz
>>>> altogether, so Tomcat's default rules would come into play, and as they
>>>> evolve over time OFBiz would naturally track them, without us having to
>>>> maintain our own copy?
>>>>
>>>> Cheers
>>>>
>>>> Paul Foxworthy
>>>>
>>>>
>>>> On 14 February 2018 at 00:03, Jacques Le Roux <
>>>> [hidden email]>
>>>> wrote:
>>>>
>>>> Hi,
>>>>> Following a recent "distribution policy : make .md5 optional" thread at
>>>>> [hidden email] and looking at https://en.wikipedia.org/wiki/MD5
>>>>>
>>>>> "Although MD5 was initially designed to be used as a cryptographic hash
>>>>> function <https://en.wikipedia.org/wiki/Cryptographic_hash_function>,
>>>>> it
>>>>> has been found to suffer from extensive vulnerabilities. It can still be
>>>>> used as a checksum <https://en.wikipedia.org/wiki/Checksum> to verify
>>>>> data integrity <https://en.wikipedia.org/wiki/Data_integrity>, but only
>>>>> against unintentional corruption."
>>>>>
>>>>> I was wondering so I checked and we no longer use MD5 anywhere but for
>>>>> last usable ciphers in Catalina ofbiz-component.xml
>>>>>
>>>>> I copied that recently from [1] and read now at [2] that MD5 is still
>>>>> used, though still almost at the end of the possible default ciphers.
>>>>>
>>>>> I also read at [3] "HOW TO -- Disable weak ciphers in Tomcat 7 & 8" how
>>>>> to
>>>>> used only nowadays reliable ciphers
>>>>>
>>>>> Maybe we could ask Tomcat user ML for advice, but reading
>>>>> https://wiki.apache.org/tomcat/Security/Ciphers it seems it's a
>>>>> tradeoff
>>>>> and we will get the same answer from the ML.
>>>>>
>>>>> What are your opinions? Should we follow [3] suggestion or let it as is
>>>>> OOTB and just warn users about that in a comment? Note that [4] is
>>>>> really
>>>>> complete and interesting, MD5 as a cypher is not recommended there.
>>>>>
>>>>> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html
>>>>>
>>>>> [2] http://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>>>>>
>>>>> [3] https://s.apache.org/h2vH
>>>>>
>>>>> [4] https://wiki.mozilla.org/Security/Server_Side_TLS
>>>>>
>>>>> Jacques
>>>>>
>>>>>
>>>>
>>>
>