On 3/7/2011 5:31 PM, Noel Butler wrote: > On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote: >> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, let >> alone a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, >> afaik - part of the build kit for apache modules. >> >> I strongly suspect your problem is on another level. >> >> > > Actually, he is correct. Though, the Apache variant of md5 is a chosen > improved security > method, it really shouldn't be called MD5 since it is not compatible with, > well, base MD5 :) > > http://httpd.apache.org/docs/2.2/misc/password_encryptions.html > > MD5 > > "$apr1$" + the result of an Apache-specific algorithm using an iterated > (1,000 times) MD5 > digest of various combinations of a random 32-bit salt and the password. See > the APR > source file apr_md5.c > <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co> > for > the details of the algorithm. > > > *MD5* > > $ openssl passwd -apr1 myPassword > $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0 > > > I agree Apache should probably not be calling it MD5. Perhaps it needs > renaming and MD5 as > we all know it, be, MD5. > > and for this reason I will xpost to devs list for some clear (maybe) > explanation as to why > it was called this. > > I don't think Edward's questioning is unreasonable, given the popularity of > LAMP > combination, they are touted to work hand in hand, but as he pointed out, > they are not, > even exampled by openssl wanting -apr1 not -md5 to be compatible, so I can > see how > this would be a problem with MySQL insert of md5(foo) not be recognised by > an Apache md5 > wanting.
But what does this have to do with httpd? At best, you are suggesting a docs improvement. Otherwise this is on the language you are using and not an ASF issue... but the desired behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you a Perl example... and apache_md5_crypt() is unambiguous. http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
