httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: mysql apache md5
Date Tue, 08 Mar 2011 06:06:26 GMT
On 3/7/2011 8:31 PM, Noel Butler wrote:
> On Mon, 2011-03-07 at 19:38 -0600, William A. Rowe Jr. wrote:
>> On 3/7/2011 5:31 PM, Noel Butler wrote:
>> > On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:
>> >> Umm... I'm no crypto guru, but I've never heard of MD5 having variants,
let alone a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part
of the build kit for apache modules.
>> >>
>> >> I strongly suspect your problem is on another level.
>> >>
>> >>
>> > 
>> > Actually, he is correct. Though, the Apache variant of md5 is a chosen improved
security
>> > method, it really shouldn't be called MD5 since it is not compatible with, well,
base MD5 :)
>> > 
>> > http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
>> > 
>> > MD5
>> > 
>> > "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000
times) MD5
>> > digest of various combinations of a random 32-bit salt and the password. See
the APR
>> > source file apr_md5.c
>> > <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co>
for
>> > the details of the algorithm.
>> > 
>> > 
>> >       *MD5*
>> > 
>> > $ openssl passwd -apr1 myPassword
>> > $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
>> > 
>> > 
>> > I agree Apache should probably not be calling it MD5. Perhaps it needs renaming
and MD5 as
>> > we all know it, be, MD5.
>> > 
>> > and for this reason I will xpost to devs list for some clear (maybe) explanation
as to why
>> > it was called this.
>> > 
>> > I don't think Edward's questioning is unreasonable, given the popularity of
LAMP
>> > combination, they are touted to work hand in hand, but as he pointed out, they
are not,
>> > even exampled by openssl wanting -apr1  not -md5 to be compatible, so I can
see how
>> > this would be a problem with MySQL insert of md5(foo)  not be recognised by
an Apache md5
>> > wanting.
>>
>> But what does this have to do with httpd?  At best, you are suggesting a docs improvement.
>> Otherwise this is on the language you are using and not an ASF issue... but the desired
>> behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you a
Perl
>> example... and apache_md5_crypt() is unambiguous.
>>
>> http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm
>>
> 
> That was a repost from  a mysql list...  the OP was saying md5 should be md5, when using
> apache auth against an md5 hash as its auth mechanisms , it does not accept the md5 hash
> inserted into a DB, ie : using mysql  insert md5(foo)  it wont for the OP recognise it,
> when using AuthDBDUserPWQuery.
> 
> In other words, if you claim to support MD5, it should read an inserted md5 hash. But
I
> will forward your post to the OP.

As cited above, we don't support just "any old arbitrary MD5", and if you are using
that particular generic form of MD5 today, you really should spend some time reviewing
security lists, a ROT13 p/w encoding is just about as effective.  But the hash in
question is not MD5, but Apache MD5, which is and always was a different thing.

If you have any pointers to our docs where the difference isn't made clear, the docs
team would really like to hear specifics!  See the address above for their list.

That said, a "real" SHA-1 is supported, and stronger options are well warranted, if
not overdue, given that SHA-1 is on equally shakey ground :)

Back to our regular programming.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message