[Solved] support SHA256 in http_auth.c
Added by Anonymous about 6 years ago
hello~!
when support sha256 in http_auth.c.
now use only md5(id:realm:md5hash)
i wait for this.
please answer to me
Thank you:)
Replies (5)
RE: support SHA256 in http_auth.c - Added by gstrauss about 6 years ago
Not planned. Also, this (vague) request is also not supported in a number of other web servers.
Why do you think you need this? Perhaps you can add some links to security papers suggesting this practice?
mod_authn_file.c supports SHA1 and NTLM, in addition to MD5, similar to Apache. However, all of these algorithms are no longer considered cryptographically secure, so you should consider using SSL/TLS to protect HTTP connections on which authentication occurs.
RE: support SHA256 in http_auth.c - Added by Anonymous about 6 years ago
As i know, lighttpd.user file use user id and password.
and we store all files in NAND. also stored lighttpd.user file.
but this file doesn't support SHA2.(just only MD5.)
so, we added aes128 algorithmand use it when lighttpd.user file store password.
i don't understand why this is not planned.
i think message digest package also have to upgrade more secure than MD5.
and other methods, how to store lighttpd.user file(userid:realm:password) more security?
RE: support SHA256 in http_auth.c - Added by gstrauss about 6 years ago
Please read my earlier response. Ask a friend to help translate it.
RE: support SHA256 in http_auth.c - Added by gstrauss about 6 years ago
Are you referring to RFC7616? https://tools.ietf.org/html/rfc7616
RE: support SHA256 in http_auth.c - Added by gstrauss over 3 years ago
RFC 7616 support was added in lighttpd 1.4.54, but among popular browsers, only Opera currently supports algorithm=SHA-256