]> git.kaiwu.me - haproxy.git/commit
projects / haproxy.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f82a242) | patch
MINOR: jwe: Disable 'RSA1_5' algorithm by default in jwt_decrypt converters
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>
Thu, 7 May 2026 15:05:17 +0000 (17:05 +0200)
committerWilly Tarreau <w@1wt.eu>
Thu, 7 May 2026 16:00:29 +0000 (18:00 +0200)
commit495eb7b0e0ca95cfd1621961eb21566b06ca6246
tree3658b9a8c96b87c1e91a0ae4c60ee16968467bf7tree | snapshot
parentf82a242c8fc6b3321eeda56277317bc2f2bc7e5bcommit | diff
MINOR: jwe: Disable 'RSA1_5' algorithm by default in jwt_decrypt converters

In RFC8725, section 3.2, they suggest to "Avoid all RSA-PKCS1 v1.5
encryption algorithms" so this algorithm gets disabled by default.
Tokens having this "alg" won't be decrypted unless it is explicitly
reenabled thanks to 'jwt.decrypt_alg_list' global option.

Thanks to Omkhar Arasaratnam for raising our awareness about this!
doc/configuration.txt diff | blob | history
reg-tests/jwt/jwt_decrypt.vtc diff | blob | history
src/jwe.c diff | blob | history
haproxy upstream