You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2012/01/24 12:27:38 UTC
DO NOT REPLY [Bug 52515] New: Digest auth specifically requires
digested passwords to hashed with MD5
https://issues.apache.org/bugzilla/show_bug.cgi?id=52515
Bug #: 52515
Summary: Digest auth specifically requires digested passwords
to hashed with MD5
Product: Tomcat 7
Version: unspecified
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
AssignedTo: dev@tomcat.apache.org
ReportedBy: djpowell@djpowell.net
Classification: Unclassified
Re:
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#Digested_Passwords
The documentation says:
"If using digested passwords with DIGEST authentication, the cleartext used to
generate the digest is different. In the examples above {cleartext-password}
must be replaced with {username}:{realm}:{cleartext-password}."
The documentation does not mention the fact that when using HTTP Digest Auth
with digested passwords, you MUST use the MD5 algorithm to digest the
passwords.
When the authentication is performed, the digest algorithm specified for the
realm is ignored, and MD5 is always used, so if SHA has been used,
authentication will fail.
(Would it be appropriate to log a warning if it is detected that Digest Auth is
being used and the Realm's digest algorithm is something other than MD5...?)
--
Dave
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52515] Digest auth specifically requires digested
passwords to hashed with MD5
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52515
--- Comment #1 from David Powell <dj...@djpowell.net> 2012-01-24 11:30:37 UTC ---
Suggest changing the first sentence to something like:
If using digested passwords with DIGEST authentication, the MD5 algorithm must
be used for the message digest; additionally, the cleartext used to generate
the digest is different.
--
Dave
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52515] Digest auth specifically requires digested
passwords to hashed with MD5
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52515
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #2 from Mark Thomas <ma...@apache.org> 2012-01-27 22:55:05 UTC ---
Fixed in trunk and 7.0.x and will be included in 7.0.26 onwards.
I used slightly different wording since the important part - in my view - is
that the plain text is different.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 52515] Digest auth specifically requires digested passwords to
hashed with MD5
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52515
--- Comment #3 from Konstantin Kolinko <kn...@gmail.com> ---
Clarification added to 6.0 docs as well, will be in 6.0.36.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org