Re: Server(_rec) unique identifier

[Kaspar Brand <ht...@velox.ch>]

On 29.10.2014 11:41, Yann Ylavic wrote:
> I chose to use (MD5 digest) all the IP:port from the s->addrs list
> (ie. <VitualHost IP|*|_default_:port ...>), plus s->server_hostname
> and s->port (ie. ServerName, be it configured or not, knowing that in
> the latter case, apr_gethostname() is used fot the main server, and
> the main server's one is used for the vhosts).

Just an observation on the digest you're proposing: while it doesn't
seem necessary to proactively kill MD5 in httpd when it is used for
non-crypto purposes (see also RFC 6151), I would prefer another digest
algorithm being picked for new things (apr_sha1_* perhaps, considering
that APR doesn't currently have SHA-2 support?).

Kaspar

Re: Server(_rec) unique identifier

[Yann Ylavic <yl...@gmail.com>]

On Sat, Nov 1, 2014 at 10:25 AM, Kaspar Brand <ht...@velox.ch> wrote:
> On 29.10.2014 11:41, Yann Ylavic wrote:
>> I chose to use (MD5 digest) all the IP:port from the s->addrs list
>> (ie. <VitualHost IP|*|_default_:port ...>), plus s->server_hostname
>> and s->port (ie. ServerName, be it configured or not, knowing that in
>> the latter case, apr_gethostname() is used fot the main server, and
>> the main server's one is used for the vhosts).
>
> Just an observation on the digest you're proposing: while it doesn't
> seem necessary to proactively kill MD5 in httpd when it is used for
> non-crypto purposes (see also RFC 6151), I would prefer another digest
> algorithm being picked for new things (apr_sha1_* perhaps, considering
> that APR doesn't currently have SHA-2 support?).

I tend to agree, although SHA-1 is not much better wrt to security,
and SHA-2 is not available in the minimal APR version(s) supported by
httpd(s).
In this case (non-crypto purpose, avoid non-malicious collisions),
SHA-1's digest has 4 more bytes (per scoreboard entry here), is
probably slower than MD5 (not in a fast path though), and this
concerns 2.2.x only.
Not sure it is worth the effort...