Hi again Grégoire,
Le 29/08/2014 15:19, Grégoire Morpain a écrit :
Hi,
Thank you for your replies, I was just reading this part of the code and though
about crypt(3) failing.
I now understand why it is failing but I think this should be patched ASAP ;
first I think all libc functions return values should be checked, all the time
; but at least, haproxy should generate an error when loading the configuration
file saying the password won't work.
Anyway, thank you very much for your help ; hope this get patched soon !
Patches have been applied to the 1.6 and 1.5 branches.
PS: Any advice on a "less worst" encryption method than md5/sha-1 for those
passwords ? crypt(3) says it supports SHA-512 but I'm not sure how it works with the
config file.
Well, it really depends on the security context on your servers (the
server itself, backups, security compliance,performance requirements,
...) and what you mean by "less worst".
Remember that with HTTP Basic Auth, the password is only base64 encoded
and also that haproxy will have to encrypt the password for each
request. The effort to give is then in your hand ;-)
I've made a quick test which encrypts the password "foo" 1000 times :
- in MD5, it took 0.267s
- in SHA-256, 3.306s
- in SHA-512, 4.107s
--
Cyril Bonté
