httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: mysql apache md5
Date Tue, 08 Mar 2011 01:38:07 GMT
On 3/7/2011 5:31 PM, Noel Butler wrote:
> On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:
>> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, let alone
a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part of the build
kit for apache modules.
>>
>> I strongly suspect your problem is on another level.
>>
>>
> 
> Actually, he is correct. Though, the Apache variant of md5 is a chosen improved security
> method, it really shouldn't be called MD5 since it is not compatible with, well, base
MD5 :)
> 
> http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
> 
> MD5
> 
> "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times)
MD5
> digest of various combinations of a random 32-bit salt and the password. See the APR
> source file apr_md5.c
> <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co>
for
> the details of the algorithm.
> 
> 
>       *MD5*
> 
> $ openssl passwd -apr1 myPassword
> $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
> 
> 
> I agree Apache should probably not be calling it MD5. Perhaps it needs renaming and MD5
as
> we all know it, be, MD5.
> 
> and for this reason I will xpost to devs list for some clear (maybe) explanation as to
why
> it was called this.
> 
> I don't think Edward's questioning is unreasonable, given the popularity of LAMP
> combination, they are touted to work hand in hand, but as he pointed out, they are not,
> even exampled by openssl wanting -apr1  not -md5 to be compatible, so I can see how
> this would be a problem with MySQL insert of md5(foo)  not be recognised by an Apache
md5
> wanting.

But what does this have to do with httpd?  At best, you are suggesting a docs improvement.
Otherwise this is on the language you are using and not an ASF issue... but the desired
behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you a Perl
example... and apache_md5_crypt() is unambiguous.

http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message