On Monday 25 June 2012, Steve Marquess wrote: > > I rather like the fact that you can use htpasswd on one system > > and use the result on another system, regardless of the > > operating system. If we are willing to give that up, we may just > > make htpasswd use the more advanced schemes offered by the > > system's crypt() function. > > One complication to keep in mind: when you don't do all your > cryptography via a specific crypto library (OpenSSL, NSS, etc.) > then FIPS 140-2 compliance goes from trivial (for 2.4) to messy. > Not generally a problem outside of the U.S., but it very much > matters anywhere in the U.S. government market.
The APR-MD5 password hashing is already implemented in apr-util and does not use an external crypto library. Would another password hashin algorithm chang anything? Or is it already necessary for FIPS compliance to patch apr-util or httpd? Cheers, Stefan
