[users@httpd] Digest authentication: mod_digest vs. mod_auth_digest

[Mark Lentczner <ma...@glyphic.com>]

Okay, I've looked all over and I can't get a clear answer:

I want to use digest authentication on my site.  It seems clear from 
the Apache docs that mod_auth_digest is newer than mod_digest.  What 
isn't clear is which I should use.  I've found this much out:

==> mod_auth_digest implements the later RFC 2617, whereas I suspect 
that mod_digest does the older RFC 2069.
==> mod_auth_digest is clearly marked experimental.
==> The RedHat 7.3 RPMs for Apache (apache-1.3.23-14.rpm) only include 
mod_digest.
==> Various sources (Apache docs, this mailing list, usenet groups, 
etc...) all claim that digest authentication is not supported by many 
browsers - but most of these warnings seem either outdated, or just 
echoing other outdated sources.
==> My own tests with mod_digest yield that it works with IE 5.5/WinXP, 
IE 5.2/MacOSX, WebFolders/WinXP, WebDAV client/MacOSX, and 
Dreamweaver/WinXP.  Not bad - the only thing that didn't work was 
Goliath/MacOSX.

So, I'm looking for some clear answers and advice on:

Q.: Is there a clear preference for either mod_digest or 
mod_auth_digest?
Q.: Did RFC 2617 change digest authentication in a non-backward 
compatible way?
Q.: More specifically, does mod_auth_digest not work with all the 
browsers that work with mod_digest?
Q.: Are the warnings about lack of digest support in client software 
truly outdated?

For the record, I'm running Apache 1.3 and would like to keep using the 
RedHat supplied RPMs if possible, but I'm willing to compile my own if 
need be.  I'm actually only protecting the WebDAV access to some hosted 
friends' sites with digest authentication.  Hence, I don't really care 
if the content is encrypted enroute: it's all just public HTML 
documents anyway!

I did try the SSL/TLS route first (which I had working), but this is 
actually *less* compatible: None of the web authoring tools that have 
built-in WebDAV support will do it over SSL/TLS (neither will WebDAV 
support in Mac OS X, though Windows' WebFolders will, as will Goliath 
on Mac.)  So, please don't suggest I chuck digest authentication and 
just use SSL/TLS.

Thanks for any help you can shed on this...

	- Mark

Mark Lentczner, CEO
Glyphic Technology
http://www.glyphic.com/
lentczner@glyphic.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Digest authentication: mod_digest vs. mod_auth_digest

[Joshua Slive <jo...@slive.ca>]

I'm not an expert on this, but I can few in a few details.

Mark Lentczner wrote:

> Q.: Is there a clear preference for either mod_digest or mod_auth_digest?

mod_auth_digest is the prefered module.  It is the only one included in 
Apache 2.0, and the only one with recent development work.

> Q.: Did RFC 2617 change digest authentication in a non-backward 
> compatible way?

Don't know.

> Q.: More specifically, does mod_auth_digest not work with all the 
> browsers that work with mod_digest?

Don't know.

> Q.: Are the warnings about lack of digest support in client software 
> truly outdated?

Most newer browsers work with mod_auth_digest.  BUT, MSIE has a serious 
bug that will prevent the use of digest auth on URIs that contain a 
query string.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org