On Mon, 2011-03-07 at 19:38 -0600, William A. Rowe Jr. wrote: > On 3/7/2011 5:31 PM, Noel Butler wrote: > > On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote: > >> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, > >> let alone a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache > >> Runtime, afaik - part of the build kit for apache modules. > >> > >> I strongly suspect your problem is on another level. > >> > >> > > > > Actually, he is correct. Though, the Apache variant of md5 is a chosen > > improved security > > method, it really shouldn't be called MD5 since it is not compatible with, > > well, base MD5 :) > > > > http://httpd.apache.org/docs/2.2/misc/password_encryptions.html > > > > MD5 > > > > "$apr1$" + the result of an Apache-specific algorithm using an iterated > > (1,000 times) MD5 > > digest of various combinations of a random 32-bit salt and the password. > > See the APR > > source file apr_md5.c > > <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co> > > for > > the details of the algorithm. > > > > > > *MD5* > > > > $ openssl passwd -apr1 myPassword > > $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0 > > > > > > I agree Apache should probably not be calling it MD5. Perhaps it needs > > renaming and MD5 as > > we all know it, be, MD5. > > > > and for this reason I will xpost to devs list for some clear (maybe) > > explanation as to why > > it was called this. > > > > I don't think Edward's questioning is unreasonable, given the popularity of > > LAMP > > combination, they are touted to work hand in hand, but as he pointed out, > > they are not, > > even exampled by openssl wanting -apr1 not -md5 to be compatible, so I can > > see how > > this would be a problem with MySQL insert of md5(foo) not be recognised by > > an Apache md5 > > wanting. > > But what does this have to do with httpd? At best, you are suggesting a docs > improvement. > Otherwise this is on the language you are using and not an ASF issue... but > the desired > behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give > you a Perl > example... and apache_md5_crypt() is unambiguous. > > http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm >
That was a repost from a mysql list... the OP was saying md5 should be md5, when using apache auth against an md5 hash as its auth mechanisms , it does not accept the md5 hash inserted into a DB, ie : using mysql insert md5(foo) it wont for the OP recognise it, when using AuthDBDUserPWQuery. In other words, if you claim to support MD5, it should read an inserted md5 hash. But I will forward your post to the OP.
signature.asc
Description: This is a digitally signed message part
