httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noel Butler <noel.but...@ausics.net>
Subject Re: mysql apache md5
Date Tue, 08 Mar 2011 23:47:01 GMT
This is forwarded to the OP (CC'd) , thanks for clearing up a few things
for me as well, and perhaps the docs could be amended to reflect it is
not base md5, remember, most admins out there are not encryption
experts.

Incidentally, when will httpd accept sha2?  Planned in 2.2.x? or only
2.3/4.x ?

On Tue, 2011-03-08 at 00:06 -0600, William A. Rowe Jr. wrote:

> On 3/7/2011 8:31 PM, Noel Butler wrote:
> > On Mon, 2011-03-07 at 19:38 -0600, William A. Rowe Jr. wrote:
> >> On 3/7/2011 5:31 PM, Noel Butler wrote:
> >> > On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:
> >> >> Umm... I'm no crypto guru, but I've never heard of MD5 having variants,
let alone a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part
of the build kit for apache modules.
> >> >>
> >> >> I strongly suspect your problem is on another level.
> >> >>
> >> >>
> >> > 
> >> > Actually, he is correct. Though, the Apache variant of md5 is a chosen
improved security
> >> > method, it really shouldn't be called MD5 since it is not compatible with,
well, base MD5 :)
> >> > 
> >> > http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
> >> > 
> >> > MD5
> >> > 
> >> > "$apr1$" + the result of an Apache-specific algorithm using an iterated
(1,000 times) MD5
> >> > digest of various combinations of a random 32-bit salt and the password.
See the APR
> >> > source file apr_md5.c
> >> > <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co>
for
> >> > the details of the algorithm.
> >> > 
> >> > 
> >> >       *MD5*
> >> > 
> >> > $ openssl passwd -apr1 myPassword
> >> > $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
> >> > 
> >> > 
> >> > I agree Apache should probably not be calling it MD5. Perhaps it needs
renaming and MD5 as
> >> > we all know it, be, MD5.
> >> > 
> >> > and for this reason I will xpost to devs list for some clear (maybe) explanation
as to why
> >> > it was called this.
> >> > 
> >> > I don't think Edward's questioning is unreasonable, given the popularity
of LAMP
> >> > combination, they are touted to work hand in hand, but as he pointed out,
they are not,
> >> > even exampled by openssl wanting -apr1  not -md5 to be compatible, so I
can see how
> >> > this would be a problem with MySQL insert of md5(foo)  not be recognised
by an Apache md5
> >> > wanting.
> >>
> >> But what does this have to do with httpd?  At best, you are suggesting a docs
improvement.
> >> Otherwise this is on the language you are using and not an ASF issue... but
the desired
> >> behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you
a Perl
> >> example... and apache_md5_crypt() is unambiguous.
> >>
> >> http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm
> >>
> > 
> > That was a repost from  a mysql list...  the OP was saying md5 should be md5, when
using
> > apache auth against an md5 hash as its auth mechanisms , it does not accept the
md5 hash
> > inserted into a DB, ie : using mysql  insert md5(foo)  it wont for the OP recognise
it,
> > when using AuthDBDUserPWQuery.
> > 
> > In other words, if you claim to support MD5, it should read an inserted md5 hash.
But I
> > will forward your post to the OP.
> 
> As cited above, we don't support just "any old arbitrary MD5", and if you are using
> that particular generic form of MD5 today, you really should spend some time reviewing
> security lists, a ROT13 p/w encoding is just about as effective.  But the hash in
> question is not MD5, but Apache MD5, which is and always was a different thing.
> 
> If you have any pointers to our docs where the difference isn't made clear, the docs
> team would really like to hear specifics!  See the address above for their list.
> 
> That said, a "real" SHA-1 is supported, and stronger options are well warranted, if
> not overdue, given that SHA-1 is on equally shakey ground :)
> 
> Back to our regular programming.



Mime
View raw message