On 20 Jan 2017, at 20:49, William A Rowe Jr <wr...@rowe-clan.net> wrote: > > Note that https://www.rfc-editor.org/rfc/rfc7616.txt still provides > for MD5 hashed > digest auth keys. So removing this altogether will break mod_auth_digest in a > manner that breaks existing user auth. >
> > Note that https://www.rfc-editor.org/rfc/rfc7616.txt still provides > for MD5 hashed > digest auth keys. So removing this altogether will break mod_auth_digest in a > manner that breaks existing user auth. Right - and these need to stay. These are for interoperability reasons - and only affect that. I think I am getting somewhere - currently going to a handful of packages that use ARP and splitting things into: apr_digest_64() apr_digest_128() apr_digest_256() apr_digest_512() for places where the is no cryptographic need and apr_crypto_digest --- with the actual name of a cryptographic algorithm like SHA256, etc. Either because it has a cryptographic need -or- because of interoperability -or- both. And that seems to yield fairly clean results - which ultimately are conductive to 'fips' style flags to 'force' ancient algorithms, like MD5, to be not in critical places; while letting harmless continue. Dw
