You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Noel Butler <no...@ausics.net> on 2011/03/08 00:31:55 UTC

Re: mysql apache md5

On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:

> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, let alone a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part of the build kit for apache modules.
> 
> I strongly suspect your problem is on another level.
> 
> 


Actually, he is correct. Though, the Apache variant of md5 is a chosen
improved security method, it really shouldn't be called MD5 since it is
not compatible with, well, base MD5 :)

http://httpd.apache.org/docs/2.2/misc/password_encryptions.html

MD5

        "$apr1$" + the result of an Apache-specific algorithm using an
        iterated (1,000 times) MD5 digest of various combinations of a
        random 32-bit salt and the password. See the APR source file
        apr_md5.c for the details of the algorithm.
        


MD5

$ openssl passwd -apr1 myPassword
$apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0 


I agree Apache should probably not be calling it MD5. Perhaps it needs
renaming and MD5 as we all know it, be, MD5.

and for this reason I will xpost to devs list for some clear (maybe)
explanation as to why it was called this.

I don't think Edward's questioning is unreasonable, given the popularity
of LAMP combination, they are touted to work hand in hand, but as he
pointed out, they are not, even exampled by openssl wanting -apr1  not
-md5 to be compatible, so I can see how
this would be a problem with MySQL insert of md5(foo)  not be recognised
by an Apache md5 wanting.


Noel





> ----- Original Message -----
> > From: "Edward avanti" <ed...@gmail.com>
> > To: mysql@lists.mysql.com
> > Sent: Monday, 7 March, 2011 5:54:02 AM
> > Subject: Re: mysql apache md5
> > 
> > everything to do with mysql
> > I try make it clearer, sorry for not so in first post
> > 
> > customer relationship manager add users into mysql
> > we want not to use apache auth of encrypt, but use md5 for longer
> > password
> > apache use variant of md5, called md5 -apr, but mysql md5  only uses
> > the -1
> > type
> > so, when CRM add userlike
> > INSERT INTO users  (..other....`appass`) values  (...other...
> > 'MD5('$PASS')
> >   ....
> > the md5 -1 that mysql uses is not compatible so apache auth fail. the
> > variant is apaprently add
> > $apr1$<up to 8 chars>$md5passwordhere,
> > making allabove line the salted md5.
> > I try to get mysql and apache to play nice, but thy do not because
> > mysql and
> > apache not use same method, hence my attempt to work around, even SHA
> > same
> > affect, i am try use anything but DES encrypt('$PASS')
> > sadly that only thing that work happily witrh each other.
> > openssl have ability to do this so not sure why mysql not have option
> > 
> > Sure someone had same problem and simple work around to have mysql
> > use
> > correct md5, but no google fu work
> > 
> 
> -- 
> Bier met grenadyn
> Is als mosterd by den wyn
> Sy die't drinkt, is eene kwezel
> Hy die't drinkt, is ras een ezel
>

Re: mysql apache md5

Posted by André Malo <nd...@perlig.de>.
From the peanut gallery:

Oh dear.

The password encryption is called "MD5 based crypt" (as opposed to the DES 
based crypt used in the early days by various systems). "MD5 based crypt" 
is now standard with modern systems. There's nothing Apache-special about 
the algorithm. We just use a different init string here: $apr1$ instead of 
$1$ to avoid hash matches with the system password database 
(like /etc/shadow).

The only way to mistake it with plain MD5 hashing is being sloppy with 
wording.

See also: http://en.wikipedia.org/wiki/Crypt_%28Unix%29

nd
-- 
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook! Ook? Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook? Ook. Ook! Ook! Ook? Ook! Ook. Ook? Ook. Ook.
Ook. Ook. Ook. Ook. Ook! Ook. Ook! Ook! Ook! Ook!           Ook! Ook.

Re: mysql apache md5

Posted by Guenter Knauf <fu...@apache.org>.
Am 08.03.2011 07:06, schrieb William A. Rowe Jr.:
>>> But what does this have to do with httpd?  At best, you are suggesting a docs improvement.
>>> Otherwise this is on the language you are using and not an ASF issue... but the desired
>>> behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you a Perl
>>> example... and apache_md5_crypt() is unambiguous.
>>>
>>> http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm
>>>
>>
>> That was a repost from  a mysql list...  the OP was saying md5 should be md5, when using
>> apache auth against an md5 hash as its auth mechanisms , it does not accept the md5 hash
>> inserted into a DB, ie : using mysql  insert md5(foo)  it wont for the OP recognise it,
>> when using AuthDBDUserPWQuery.
>>
>> In other words, if you claim to support MD5, it should read an inserted md5 hash. But I
>> will forward your post to the OP.
>
> As cited above, we don't support just "any old arbitrary MD5", and if you are using
> that particular generic form of MD5 today, you really should spend some time reviewing
> security lists, a ROT13 p/w encoding is just about as effective.  But the hash in
> question is not MD5, but Apache MD5, which is and always was a different thing.
>
> If you have any pointers to our docs where the difference isn't made clear, the docs
> team would really like to hear specifics!  See the address above for their list.
>
> That said, a "real" SHA-1 is supported, and stronger options are well warranted, if
> not overdue, given that SHA-1 is on equally shakey ground :)
well, I dont think the question is if MD5 is weak or not and if APR-MD5 
is better, but the question is if we are willing to rename 'our MD5' to 
f.e. APR-MD5 which would make it a lot clearer for everyone that we 
support a special MD5 variant, and not plain weak MD5.
BTW. I stumbled over exactly same years ago, and it took me a while to 
realize that httpd uses in fact APR-MD5, and not 'plain weak MD5' ... :-)

see f.e.:
http://httpd.apache.org/docs/trunk/mod/mod_auth_digest.html#authdigestalgorithm
no mention that this is APR-MD5 ...
also the quick reader who would look for the htpassword options:
http://httpd.apache.org/docs/trunk/programs/htpasswd.html#options
would find:
-m
     Use MD5 encryption for passwords. This is the default.

only if you read the overview there is mentioned that we use a special MD5:
"htpasswd encrypts passwords using either a version of MD5 modified for 
Apache, or the system's crypt() routine."

(and BTW. this sentence lacks also the 3rd method SHA ...)

Gün.

Re: mysql apache md5

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 3/8/2011 5:47 PM, Noel Butler wrote:
> 
> Incidentally, when will httpd accept sha2?  Planned in 2.2.x? or only 2.3/4.x ?

We won't implement the hash itself... so it would likely originate from tighter
integration with openssl (which would give us DES_crypt for legacy win32
compatibility).

Re: mysql apache md5

Posted by Noel Butler <no...@ausics.net>.
This is forwarded to the OP (CC'd) , thanks for clearing up a few things
for me as well, and perhaps the docs could be amended to reflect it is
not base md5, remember, most admins out there are not encryption
experts.

Incidentally, when will httpd accept sha2?  Planned in 2.2.x? or only
2.3/4.x ?

On Tue, 2011-03-08 at 00:06 -0600, William A. Rowe Jr. wrote:

> On 3/7/2011 8:31 PM, Noel Butler wrote:
> > On Mon, 2011-03-07 at 19:38 -0600, William A. Rowe Jr. wrote:
> >> On 3/7/2011 5:31 PM, Noel Butler wrote:
> >> > On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:
> >> >> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, let alone a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part of the build kit for apache modules.
> >> >>
> >> >> I strongly suspect your problem is on another level.
> >> >>
> >> >>
> >> > 
> >> > Actually, he is correct. Though, the Apache variant of md5 is a chosen improved security
> >> > method, it really shouldn't be called MD5 since it is not compatible with, well, base MD5 :)
> >> > 
> >> > http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
> >> > 
> >> > MD5
> >> > 
> >> > "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5
> >> > digest of various combinations of a random 32-bit salt and the password. See the APR
> >> > source file apr_md5.c
> >> > <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co> for
> >> > the details of the algorithm.
> >> > 
> >> > 
> >> >       *MD5*
> >> > 
> >> > $ openssl passwd -apr1 myPassword
> >> > $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
> >> > 
> >> > 
> >> > I agree Apache should probably not be calling it MD5. Perhaps it needs renaming and MD5 as
> >> > we all know it, be, MD5.
> >> > 
> >> > and for this reason I will xpost to devs list for some clear (maybe) explanation as to why
> >> > it was called this.
> >> > 
> >> > I don't think Edward's questioning is unreasonable, given the popularity of LAMP
> >> > combination, they are touted to work hand in hand, but as he pointed out, they are not,
> >> > even exampled by openssl wanting -apr1  not -md5 to be compatible, so I can see how
> >> > this would be a problem with MySQL insert of md5(foo)  not be recognised by an Apache md5
> >> > wanting.
> >>
> >> But what does this have to do with httpd?  At best, you are suggesting a docs improvement.
> >> Otherwise this is on the language you are using and not an ASF issue... but the desired
> >> behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you a Perl
> >> example... and apache_md5_crypt() is unambiguous.
> >>
> >> http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm
> >>
> > 
> > That was a repost from  a mysql list...  the OP was saying md5 should be md5, when using
> > apache auth against an md5 hash as its auth mechanisms , it does not accept the md5 hash
> > inserted into a DB, ie : using mysql  insert md5(foo)  it wont for the OP recognise it,
> > when using AuthDBDUserPWQuery.
> > 
> > In other words, if you claim to support MD5, it should read an inserted md5 hash. But I
> > will forward your post to the OP.
> 
> As cited above, we don't support just "any old arbitrary MD5", and if you are using
> that particular generic form of MD5 today, you really should spend some time reviewing
> security lists, a ROT13 p/w encoding is just about as effective.  But the hash in
> question is not MD5, but Apache MD5, which is and always was a different thing.
> 
> If you have any pointers to our docs where the difference isn't made clear, the docs
> team would really like to hear specifics!  See the address above for their list.
> 
> That said, a "real" SHA-1 is supported, and stronger options are well warranted, if
> not overdue, given that SHA-1 is on equally shakey ground :)
> 
> Back to our regular programming.

Re: mysql apache md5

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 3/7/2011 8:31 PM, Noel Butler wrote:
> On Mon, 2011-03-07 at 19:38 -0600, William A. Rowe Jr. wrote:
>> On 3/7/2011 5:31 PM, Noel Butler wrote:
>> > On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:
>> >> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, let alone a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part of the build kit for apache modules.
>> >>
>> >> I strongly suspect your problem is on another level.
>> >>
>> >>
>> > 
>> > Actually, he is correct. Though, the Apache variant of md5 is a chosen improved security
>> > method, it really shouldn't be called MD5 since it is not compatible with, well, base MD5 :)
>> > 
>> > http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
>> > 
>> > MD5
>> > 
>> > "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5
>> > digest of various combinations of a random 32-bit salt and the password. See the APR
>> > source file apr_md5.c
>> > <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co> for
>> > the details of the algorithm.
>> > 
>> > 
>> >       *MD5*
>> > 
>> > $ openssl passwd -apr1 myPassword
>> > $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
>> > 
>> > 
>> > I agree Apache should probably not be calling it MD5. Perhaps it needs renaming and MD5 as
>> > we all know it, be, MD5.
>> > 
>> > and for this reason I will xpost to devs list for some clear (maybe) explanation as to why
>> > it was called this.
>> > 
>> > I don't think Edward's questioning is unreasonable, given the popularity of LAMP
>> > combination, they are touted to work hand in hand, but as he pointed out, they are not,
>> > even exampled by openssl wanting -apr1  not -md5 to be compatible, so I can see how
>> > this would be a problem with MySQL insert of md5(foo)  not be recognised by an Apache md5
>> > wanting.
>>
>> But what does this have to do with httpd?  At best, you are suggesting a docs improvement.
>> Otherwise this is on the language you are using and not an ASF issue... but the desired
>> behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you a Perl
>> example... and apache_md5_crypt() is unambiguous.
>>
>> http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm
>>
> 
> That was a repost from  a mysql list...  the OP was saying md5 should be md5, when using
> apache auth against an md5 hash as its auth mechanisms , it does not accept the md5 hash
> inserted into a DB, ie : using mysql  insert md5(foo)  it wont for the OP recognise it,
> when using AuthDBDUserPWQuery.
> 
> In other words, if you claim to support MD5, it should read an inserted md5 hash. But I
> will forward your post to the OP.

As cited above, we don't support just "any old arbitrary MD5", and if you are using
that particular generic form of MD5 today, you really should spend some time reviewing
security lists, a ROT13 p/w encoding is just about as effective.  But the hash in
question is not MD5, but Apache MD5, which is and always was a different thing.

If you have any pointers to our docs where the difference isn't made clear, the docs
team would really like to hear specifics!  See the address above for their list.

That said, a "real" SHA-1 is supported, and stronger options are well warranted, if
not overdue, given that SHA-1 is on equally shakey ground :)

Back to our regular programming.

Re: mysql apache md5

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 3/7/2011 8:31 PM, Noel Butler wrote:
> On Mon, 2011-03-07 at 19:38 -0600, William A. Rowe Jr. wrote:
>> On 3/7/2011 5:31 PM, Noel Butler wrote:
>> > On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:
>> >> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, let alone a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part of the build kit for apache modules.
>> >>
>> >> I strongly suspect your problem is on another level.
>> >>
>> >>
>> > 
>> > Actually, he is correct. Though, the Apache variant of md5 is a chosen improved security
>> > method, it really shouldn't be called MD5 since it is not compatible with, well, base MD5 :)
>> > 
>> > http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
>> > 
>> > MD5
>> > 
>> > "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5
>> > digest of various combinations of a random 32-bit salt and the password. See the APR
>> > source file apr_md5.c
>> > <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co> for
>> > the details of the algorithm.
>> > 
>> > 
>> >       *MD5*
>> > 
>> > $ openssl passwd -apr1 myPassword
>> > $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
>> > 
>> > 
>> > I agree Apache should probably not be calling it MD5. Perhaps it needs renaming and MD5 as
>> > we all know it, be, MD5.
>> > 
>> > and for this reason I will xpost to devs list for some clear (maybe) explanation as to why
>> > it was called this.
>> > 
>> > I don't think Edward's questioning is unreasonable, given the popularity of LAMP
>> > combination, they are touted to work hand in hand, but as he pointed out, they are not,
>> > even exampled by openssl wanting -apr1  not -md5 to be compatible, so I can see how
>> > this would be a problem with MySQL insert of md5(foo)  not be recognised by an Apache md5
>> > wanting.
>>
>> But what does this have to do with httpd?  At best, you are suggesting a docs improvement.
>> Otherwise this is on the language you are using and not an ASF issue... but the desired
>> behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you a Perl
>> example... and apache_md5_crypt() is unambiguous.
>>
>> http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm
>>
> 
> That was a repost from  a mysql list...  the OP was saying md5 should be md5, when using
> apache auth against an md5 hash as its auth mechanisms , it does not accept the md5 hash
> inserted into a DB, ie : using mysql  insert md5(foo)  it wont for the OP recognise it,
> when using AuthDBDUserPWQuery.
> 
> In other words, if you claim to support MD5, it should read an inserted md5 hash. But I
> will forward your post to the OP.

As cited above, we don't support just "any old arbitrary MD5", and if you are using
that particular generic form of MD5 today, you really should spend some time reviewing
security lists, a ROT13 p/w encoding is just about as effective.  But the hash in
question is not MD5, but Apache MD5, which is and always was a different thing.

If you have any pointers to our docs where the difference isn't made clear, the docs
team would really like to hear specifics!  See the address above for their list.

That said, a "real" SHA-1 is supported, and stronger options are well warranted, if
not overdue, given that SHA-1 is on equally shakey ground :)

Back to our regular programming.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: mysql apache md5

Posted by Noel Butler <no...@ausics.net>.
On Mon, 2011-03-07 at 19:38 -0600, William A. Rowe Jr. wrote:

> On 3/7/2011 5:31 PM, Noel Butler wrote:
> > On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:
> >> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, let alone a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part of the build kit for apache modules.
> >>
> >> I strongly suspect your problem is on another level.
> >>
> >>
> > 
> > Actually, he is correct. Though, the Apache variant of md5 is a chosen improved security
> > method, it really shouldn't be called MD5 since it is not compatible with, well, base MD5 :)
> > 
> > http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
> > 
> > MD5
> > 
> > "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5
> > digest of various combinations of a random 32-bit salt and the password. See the APR
> > source file apr_md5.c
> > <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co> for
> > the details of the algorithm.
> > 
> > 
> >       *MD5*
> > 
> > $ openssl passwd -apr1 myPassword
> > $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
> > 
> > 
> > I agree Apache should probably not be calling it MD5. Perhaps it needs renaming and MD5 as
> > we all know it, be, MD5.
> > 
> > and for this reason I will xpost to devs list for some clear (maybe) explanation as to why
> > it was called this.
> > 
> > I don't think Edward's questioning is unreasonable, given the popularity of LAMP
> > combination, they are touted to work hand in hand, but as he pointed out, they are not,
> > even exampled by openssl wanting -apr1  not -md5 to be compatible, so I can see how
> > this would be a problem with MySQL insert of md5(foo)  not be recognised by an Apache md5
> > wanting.
> 
> But what does this have to do with httpd?  At best, you are suggesting a docs improvement.
> Otherwise this is on the language you are using and not an ASF issue... but the desired
> behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you a Perl
> example... and apache_md5_crypt() is unambiguous.
> 
> http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm
> 


That was a repost from  a mysql list...  the OP was saying md5 should be
md5, when using apache auth against an md5 hash as its auth mechanisms ,
it does not accept the md5 hash inserted into a DB, ie : using mysql
insert md5(foo)  it wont for the OP recognise it, when using
AuthDBDUserPWQuery.

In other words, if you claim to support MD5, it should read an inserted
md5 hash. But I will forward your post to the OP.

Re: mysql apache md5

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 3/7/2011 5:31 PM, Noel Butler wrote:
> On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:
>> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, let alone a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part of the build kit for apache modules.
>>
>> I strongly suspect your problem is on another level.
>>
>>
> 
> Actually, he is correct. Though, the Apache variant of md5 is a chosen improved security
> method, it really shouldn't be called MD5 since it is not compatible with, well, base MD5 :)
> 
> http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
> 
> MD5
> 
> "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5
> digest of various combinations of a random 32-bit salt and the password. See the APR
> source file apr_md5.c
> <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co> for
> the details of the algorithm.
> 
> 
>       *MD5*
> 
> $ openssl passwd -apr1 myPassword
> $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
> 
> 
> I agree Apache should probably not be calling it MD5. Perhaps it needs renaming and MD5 as
> we all know it, be, MD5.
> 
> and for this reason I will xpost to devs list for some clear (maybe) explanation as to why
> it was called this.
> 
> I don't think Edward's questioning is unreasonable, given the popularity of LAMP
> combination, they are touted to work hand in hand, but as he pointed out, they are not,
> even exampled by openssl wanting -apr1  not -md5 to be compatible, so I can see how
> this would be a problem with MySQL insert of md5(foo)  not be recognised by an Apache md5
> wanting.

But what does this have to do with httpd?  At best, you are suggesting a docs improvement.
Otherwise this is on the language you are using and not an ASF issue... but the desired
behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you a Perl
example... and apache_md5_crypt() is unambiguous.

http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: mysql apache md5

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 3/7/2011 5:31 PM, Noel Butler wrote:
> On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:
>> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, let alone a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part of the build kit for apache modules.
>>
>> I strongly suspect your problem is on another level.
>>
>>
> 
> Actually, he is correct. Though, the Apache variant of md5 is a chosen improved security
> method, it really shouldn't be called MD5 since it is not compatible with, well, base MD5 :)
> 
> http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
> 
> MD5
> 
> "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5
> digest of various combinations of a random 32-bit salt and the password. See the APR
> source file apr_md5.c
> <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co> for
> the details of the algorithm.
> 
> 
>       *MD5*
> 
> $ openssl passwd -apr1 myPassword
> $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
> 
> 
> I agree Apache should probably not be calling it MD5. Perhaps it needs renaming and MD5 as
> we all know it, be, MD5.
> 
> and for this reason I will xpost to devs list for some clear (maybe) explanation as to why
> it was called this.
> 
> I don't think Edward's questioning is unreasonable, given the popularity of LAMP
> combination, they are touted to work hand in hand, but as he pointed out, they are not,
> even exampled by openssl wanting -apr1  not -md5 to be compatible, so I can see how
> this would be a problem with MySQL insert of md5(foo)  not be recognised by an Apache md5
> wanting.

But what does this have to do with httpd?  At best, you are suggesting a docs improvement.
Otherwise this is on the language you are using and not an ASF issue... but the desired
behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you a Perl
example... and apache_md5_crypt() is unambiguous.

http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm