Project

General

Profile

[UE] Unable to get SHA-256 to work

Added by sksinha_rm 23 days ago

I am running lighttpd 1.4.68 on Petalinux Xilinx SDK 2018.3. I need to use SHA-256 on a protected page.

I had following cipher-list in my lighttpd.conf:

ssl.openssl.ssl-conf-cmd = ("CipherString" => "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA")

OR
ssl.openssl.ssl-conf-cmd = ("CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384")

auth.require = (
"/" => (
"method" => "digest",
"algorithm" => "SHA-256",
"realm" => "protected pages",
"require" => "user=tester",
)

I have encoded password with SHA256 and added in lighttpd.user. Above (1st option of Cipher-list) works fine with md5 encoded password .

But, neither cipher-list seems to work with SHA-256.

I am using latest firefox on windows to connect. Console output(of response header) of a GET request is like:

WWW-Authenticate
Digest realm="protected pages", charset="UTF-8", algorithm=SHA-256, nonce="63ee28ef:26a81f50f9271a7c7c9f042f948cf1a5fd58af1a0c1ba85f705fb46c98765008", qop="auth
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0

but status is :Status 401 Unauthorized

Security: connection is
Protocol version: TLSv1.2
Cipher suite:TLS_RSA_WITH_AES_128_GCM_SHA256

SHA-256 Fingerprint:A0:1B:7C:97:39:01:F0:85:99:85:FE:CA:D5:17:61:C8:5D:6B:14:DE:89:73:AB:67:2A:41:48:E1:4B:48:4D:4F
SHA1 Fingerprint:F6:4F:79:F3:B4:80:03:2D:CB:E4:8D:C0:72:30:23:8C:FF:A3:64:39

Looks all TLS handshake for SHA-256 looks ok. Do I need to add something else in lighttpd.conf, am I missing something.

Similar issue on Edge and Chrome.
Any help or pointer will be very helpful.
Thanks in advance.


Replies (4)

[UE] RE: Unable to get SHA-256 to work - Added by gstrauss 23 days ago

am I missing something.

Yes. You failed to read the documentation for mod_auth which answers most of your questions.

Your TLS configuration is independent and not relevant to mod_auth config, even if both might use the SHA256 algorithm.

RE: Unable to get SHA-256 to work - Added by sksinha_rm 21 days ago

Issue resolved. Issue im copying password to lighttpd.user file, copied with an extra space. Thanks for help and suggestions.

RE: [UE] Unable to get SHA-256 to work - Added by sksinha_rm 19 days ago

Is there any mechanism to salt password with some random number? I am unable to understand the use of "userhash". Any help/pointers will be useful.

RE: [UE] Unable to get SHA-256 to work - Added by gstrauss 19 days ago

RTFM and ask a more intelligent question that is more specific and shows that you tried to read the documentation. If you do not understand something specific in the documentation, ask a specific question referencing that specific part of the documentation. You failed to search for the word "salt" in mod_auth. It is unlikely that I will respond further here. You've wasted enough of my time by failing to try to read the documentation (and failing to demonstrate that you tried to read the documentation). I'm not going to read the documentation to you.

    (1-4/4)