httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guenter Knauf <fua...@apache.org>
Subject Re: mysql apache md5
Date Tue, 08 Mar 2011 16:41:30 GMT
Am 08.03.2011 07:06, schrieb William A. Rowe Jr.:
>>> But what does this have to do with httpd?  At best, you are suggesting a docs
improvement.
>>> Otherwise this is on the language you are using and not an ASF issue... but the
desired
>>> behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you
a Perl
>>> example... and apache_md5_crypt() is unambiguous.
>>>
>>> http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm
>>>
>>
>> That was a repost from  a mysql list...  the OP was saying md5 should be md5, when
using
>> apache auth against an md5 hash as its auth mechanisms , it does not accept the md5
hash
>> inserted into a DB, ie : using mysql  insert md5(foo)  it wont for the OP recognise
it,
>> when using AuthDBDUserPWQuery.
>>
>> In other words, if you claim to support MD5, it should read an inserted md5 hash.
But I
>> will forward your post to the OP.
>
> As cited above, we don't support just "any old arbitrary MD5", and if you are using
> that particular generic form of MD5 today, you really should spend some time reviewing
> security lists, a ROT13 p/w encoding is just about as effective.  But the hash in
> question is not MD5, but Apache MD5, which is and always was a different thing.
>
> If you have any pointers to our docs where the difference isn't made clear, the docs
> team would really like to hear specifics!  See the address above for their list.
>
> That said, a "real" SHA-1 is supported, and stronger options are well warranted, if
> not overdue, given that SHA-1 is on equally shakey ground :)
well, I dont think the question is if MD5 is weak or not and if APR-MD5 
is better, but the question is if we are willing to rename 'our MD5' to 
f.e. APR-MD5 which would make it a lot clearer for everyone that we 
support a special MD5 variant, and not plain weak MD5.
BTW. I stumbled over exactly same years ago, and it took me a while to 
realize that httpd uses in fact APR-MD5, and not 'plain weak MD5' ... :-)

see f.e.:
http://httpd.apache.org/docs/trunk/mod/mod_auth_digest.html#authdigestalgorithm
no mention that this is APR-MD5 ...
also the quick reader who would look for the htpassword options:
http://httpd.apache.org/docs/trunk/programs/htpasswd.html#options
would find:
-m
     Use MD5 encryption for passwords. This is the default.

only if you read the overview there is mentioned that we use a special MD5:
"htpasswd encrypts passwords using either a version of MD5 modified for 
Apache, or the system's crypt() routine."

(and BTW. this sentence lacks also the 3rd method SHA ...)

Gün.



Mime
View raw message