https://redmine.lighttpd.net/https://redmine.lighttpd.net/favicon.ico?13667327412009-04-13T23:31:59Zlighty labsLighttpd - Feature #1961: Add support for different hash functionshttps://redmine.lighttpd.net/issues/1961?journal_id=58452009-04-13T23:31:59Zicy
<ul><li><strong>Priority</strong> changed from <i>Normal</i> to <i>Low</i></li></ul><p>To be honest, I don't see any big advantage in this but maybe I am missing something. If so, please speak up :)</p> Lighttpd - Feature #1961: Add support for different hash functionshttps://redmine.lighttpd.net/issues/1961?journal_id=58522009-04-15T12:47:49Zwienczny
<ul></ul><p>MD5 should be considered broken and should not be used for crypto any more. I don't know of any attack that directly affects the security of your tokens but it makes me feel queasy that a new attack might spit out the secret one day. To be prepared for that, it's better to be able to operate with different hash functions.<br />I don't want you to discard md5 by now. You could leave it as default when no hash function is given.</p> Lighttpd - Feature #1961: Add support for different hash functionshttps://redmine.lighttpd.net/issues/1961?journal_id=106992016-12-22T05:54:07Zgstrauss
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Fixed</i></li><li><strong>Target version</strong> set to <i>1.4.x</i></li></ul><p>mod_secdownload supports MD5 (the default), as well as HMAC-SHA1 and HMAC-SHA256 since lighttpd 1.4.38<br />See <a class="wiki-page" href="https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModSecDownload">Docs_ModSecDownload</a><br /><pre>
secdownload.algorithm = <string> ("md5", "hmac-sha1", "hmac-sha256")
</pre></p>
<p>It is better to enforce the algorithm used with a server-side config option, rather than to have the client able to specify a (weaker) option.</p> Lighttpd - Feature #1961: Add support for different hash functionshttps://redmine.lighttpd.net/issues/1961?journal_id=107302016-12-24T09:55:24Zgstrauss
<ul><li><strong>Target version</strong> changed from <i>1.4.x</i> to <i>1.4.38</i></li></ul>