You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/03/05 09:30:53 UTC

[Bug 54637] New: Digest: secret not used

https://issues.apache.org/bugzilla/show_bug.cgi?id=54637

            Bug ID: 54637
           Summary: Digest: secret not used
           Product: Apache httpd-2
           Version: 2.4.4
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_auth_digest
          Assignee: bugs@httpd.apache.org
          Reporter: nicolas.daniels@bluepimento.eu
    Classification: Unclassified

Not sure this is a bug but nobody is replying me on user mailing list, so I
filled it here.

I've been trying digest authentication for a while now and just noticed a
strange behavior when working on cluster.

Actually I've 2 apaches behind a load balancer (so serving same domain), and I
noticed that an authentication sent to apache A is valid when sent on apache B.
Let me explain:

1. My client connects to Apache A, it receives an authentication required with
a nonce (valid for 1h).
2. My client authenticate itself on Apache A using the received nonce
3. Few minutes later, the same client issues another request directly using the
nonce already received, but the request goes on Apache B ---> No problem the
nonce is valid !

Looking at the code, it seems everything is done to prevent this by using a
randomly generated secret in the nonce hash.

However, debugging a bit it seems the nonce_ctx initialization is performed
BEFORE the secret initialization, so it is always initialized with the same
empty secret and generated nonce are valid everywhere.

So basically, in mod_auth_digest.c, set_realm function is called before
initialize_secret.

Actually this behavior fit my needs for now but I wanted to know if it is a
desired behavior, if it is a bug and if it might change in future version ?

I checked this on apache 2.4.2 and 2.4.4 under unbuntu.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54637] Digest: secret not used

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54637

nicolas.daniels@bluepimento.eu changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nicolas.daniels@bluepimento
                   |                            |.eu

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54637] Digest: secret not used

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54637

--- Comment #1 from Stefan Fritsch <sf...@sfritsch.de> ---
trunk commit: r1492395

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org