Project

General

Profile

Forums » Support »

[Solved] Lighttpd 1.4.54 login fails with favicon.ico when using SHA-256

Added by bupthebroker about 4 years ago

Hi,

I am using lighttpd 1.4.54 with openssl. I have locked a page like this:

auth.require = ( "/test.html" =>
    (
    "method"    => "digest",
    "algorithm" => "SHA-256",
    "realm"   => "my-realm",
    "require" => "valid-user" 
    ),

Opera:
Everything works well, after i enter username and password and click on okay i get a new request from the browser where con->request.uri->ptr "/test.html".

Firefox:
Everything works well until the login popup. When i enter my username and password and click okay i get a request from browser where con->request.uri->ptr "/favicon.ico". Naturally login fails since test.html is not requested, 401 appears.

Chrome/Chromium:
No login popoup appears, it seems to continue automatically and con->request.uri->ptr == "/favicon.ico" again. test.html is not requested, 401 appears.

What causes some browsers to request the favicon.ico during login process? If i select MD5 instead of SHA-256 then the browsers do not request favicon.ico and everything works well. Any ideas how to resolve?

Thanks!


Replies (5)

RE: Lighttpd 1.4.54 login fails with favicon.ico when using SHA-256 - Added by bupthebroker about 4 years ago

Okaaaaaaay,
i now read this thread:

https://bugzilla.mozilla.org/show_bug.cgi?id=472823

@"Guys... there is a very common use-case for home routers where they want to transfer authentication without tls.

Making them transfer it in MD5 because the privacy-aware and security-aware browser doesn't implement SHA-256 for this is insecure.

Chrome is also broken for this (ignores algorithm= and continues with md5) but if you think about your own home router... it's a missing piece of the security puzzle isn't it?"@

So it seems i'm fu*kered...

RE: Lighttpd 1.4.54 login fails with favicon.ico when using SHA-256 - Added by gstrauss about 4 years ago

lighttpd can be configured to support both SHA-256 and MD5: "algorithm" => "SHA-256|MD5"

More intelligent browsers will then be able to use SHA-256, although this configuration is still open to downgrade attacks.

RE: Lighttpd 1.4.54 login fails with favicon.ico when using SHA-256 - Added by bupthebroker about 4 years ago

The list of intelligent browsers seems to contain only Opera. It works well with Opera.

RE: Lighttpd 1.4.54 login fails with favicon.ico when using SHA-256 - Added by gstrauss about 3 years ago

I wrote and submitted patches to Mozilla to add support in Firefox:
https://bugzilla.mozilla.org/show_bug.cgi?id=472823 "SHA 256 Digest Authentication"
https://bugzilla.mozilla.org/show_bug.cgi?id=281851 "CVE-2005-2395 Wrong scheme used when server offers both Basic and Digest auth"
https://phabricator.services.mozilla.com/D106241 "support SHA-256 HTTP Digest auth"

Open issue in Chrome:
https://bugs.chromium.org/p/chromium/issues/detail?id=1160478 "SHA-256 for HTTP Digest Access Authentication in accordance with rfc7616"

RE: Lighttpd 1.4.54 login fails with favicon.ico when using SHA-256 - Added by gstrauss over 2 years ago

Firefox 93.0 supports SHA-256 for RFC 7616 HTTP Digest Access Authentication
(Firefox 93.0 is currently in alpha and general release is scheduled for 5 Oct 2021)

    (1-5/5)