httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <>
Subject Re: mysql apache md5
Date Tue, 08 Mar 2011 01:38:07 GMT
On 3/7/2011 5:31 PM, Noel Butler wrote:
> On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:
>> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, let alone
a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part of the build
kit for apache modules.
>> I strongly suspect your problem is on another level.
> Actually, he is correct. Though, the Apache variant of md5 is a chosen improved security
> method, it really shouldn't be called MD5 since it is not compatible with, well, base
MD5 :)
> MD5
> "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times)
> digest of various combinations of a random 32-bit salt and the password. See the APR
> source file apr_md5.c
> <>
> the details of the algorithm.
>       *MD5*
> $ openssl passwd -apr1 myPassword
> $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
> I agree Apache should probably not be calling it MD5. Perhaps it needs renaming and MD5
> we all know it, be, MD5.
> and for this reason I will xpost to devs list for some clear (maybe) explanation as to
> it was called this.
> I don't think Edward's questioning is unreasonable, given the popularity of LAMP
> combination, they are touted to work hand in hand, but as he pointed out, they are not,
> even exampled by openssl wanting -apr1  not -md5 to be compatible, so I can see how
> this would be a problem with MySQL insert of md5(foo)  not be recognised by an Apache
> wanting.

But what does this have to do with httpd?  At best, you are suggesting a docs improvement.
Otherwise this is on the language you are using and not an ASF issue... but the desired
behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you a Perl
example... and apache_md5_crypt() is unambiguous.

View raw message