This is forwarded to the OP (CC'd) , thanks for clearing up a few things for me as well, and perhaps the docs could be amended to reflect it is not base md5, remember, most admins out there are not encryption experts.
Incidentally, when will httpd accept sha2? Planned in 2.2.x? or only 2.3/4.x ? On Tue, 2011-03-08 at 00:06 -0600, William A. Rowe Jr. wrote: > On 3/7/2011 8:31 PM, Noel Butler wrote: > > On Mon, 2011-03-07 at 19:38 -0600, William A. Rowe Jr. wrote: > >> On 3/7/2011 5:31 PM, Noel Butler wrote: > >> > On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote: > >> >> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, > >> >> let alone a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache > >> >> Runtime, afaik - part of the build kit for apache modules. > >> >> > >> >> I strongly suspect your problem is on another level. > >> >> > >> >> > >> > > >> > Actually, he is correct. Though, the Apache variant of md5 is a chosen > >> > improved security > >> > method, it really shouldn't be called MD5 since it is not compatible > >> > with, well, base MD5 :) > >> > > >> > http://httpd.apache.org/docs/2.2/misc/password_encryptions.html > >> > > >> > MD5 > >> > > >> > "$apr1$" + the result of an Apache-specific algorithm using an iterated > >> > (1,000 times) MD5 > >> > digest of various combinations of a random 32-bit salt and the password. > >> > See the APR > >> > source file apr_md5.c > >> > <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co> > >> > for > >> > the details of the algorithm. > >> > > >> > > >> > *MD5* > >> > > >> > $ openssl passwd -apr1 myPassword > >> > $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0 > >> > > >> > > >> > I agree Apache should probably not be calling it MD5. Perhaps it needs > >> > renaming and MD5 as > >> > we all know it, be, MD5. > >> > > >> > and for this reason I will xpost to devs list for some clear (maybe) > >> > explanation as to why > >> > it was called this. > >> > > >> > I don't think Edward's questioning is unreasonable, given the popularity > >> > of LAMP > >> > combination, they are touted to work hand in hand, but as he pointed > >> > out, they are not, > >> > even exampled by openssl wanting -apr1 not -md5 to be compatible, so I > >> > can see how > >> > this would be a problem with MySQL insert of md5(foo) not be recognised > >> > by an Apache md5 > >> > wanting. > >> > >> But what does this have to do with httpd? At best, you are suggesting a > >> docs improvement. > >> Otherwise this is on the language you are using and not an ASF issue... > >> but the desired > >> behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give > >> you a Perl > >> example... and apache_md5_crypt() is unambiguous. > >> > >> http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm > >> > > > > That was a repost from a mysql list... the OP was saying md5 should be > > md5, when using > > apache auth against an md5 hash as its auth mechanisms , it does not accept > > the md5 hash > > inserted into a DB, ie : using mysql insert md5(foo) it wont for the OP > > recognise it, > > when using AuthDBDUserPWQuery. > > > > In other words, if you claim to support MD5, it should read an inserted md5 > > hash. But I > > will forward your post to the OP. > > As cited above, we don't support just "any old arbitrary MD5", and if you are > using > that particular generic form of MD5 today, you really should spend some time > reviewing > security lists, a ROT13 p/w encoding is just about as effective. But the > hash in > question is not MD5, but Apache MD5, which is and always was a different > thing. > > If you have any pointers to our docs where the difference isn't made clear, > the docs > team would really like to hear specifics! See the address above for their > list. > > That said, a "real" SHA-1 is supported, and stronger options are well > warranted, if > not overdue, given that SHA-1 is on equally shakey ground :) > > Back to our regular programming.
signature.asc
Description: This is a digitally signed message part
