Project

General

Profile

Feature #806

implementation of digest auth MD5-sess does not conform to rfc2617

Added by Anonymous over 13 years ago. Updated almost 4 years ago.

Status:
Wontfix
Priority:
Low
Assignee:
-
Category:
mod_auth
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

The digest auth implementation using algo=MD5-sess is broken.
It seems that someone just integrated the "sample implementation" that can
be found in rfc 2617 without having read section 3.2.2.2:


Related issues

Related to Bug #1844: Serious security problem in Digest AuthenticationFixed2008-12-12

Actions
#1

Updated by gstrauss almost 4 years ago

  • Description updated (diff)
  • Category changed from core to mod_auth
  • Assignee deleted (jan)
#2

Updated by gstrauss almost 4 years ago

  • Related to Bug #1844: Serious security problem in Digest Authentication added
#3

Updated by gstrauss almost 4 years ago

  • Target version set to 1.4.41
#4

Updated by gstrauss almost 4 years ago

  • Tracker changed from Bug to Feature
  • Status changed from New to Wontfix
  • Priority changed from Normal to Low
  • Target version deleted (1.4.41)

Related issue #1844 will be fixed in lighttpd 1.4.41

Digest algorithm="md5" is the default and will be implemented in lighttpd 1.4.41 mod_auth (not yet released)

Digest algorithm="md5-sess" is not correctly implemented in lighttpd, and so its use is not recommend.
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModAuth will be updated to state this explicitly.

Please note that as this is being written, Apache mod_auth_digest does not implement algorithm="md5-sess" either.
https://httpd.apache.org/docs/trunk/mod/mod_auth_digest.html

MD5-sess is not correctly implemented yet.

RFC7616 changes the required Digest algorithm to SHA2-256 but allows MD5 algorithm for backwards compatibility. Therefore, there are no plans to implement Digest algorithm="md5-sess". (In the future, SHA2-256 may be implemented in mod_auth.)

Please note that Digest auth is not cryptographically secure. It exists merely to be a better choice than Basic auth, addressing the security design flaw of passing clear-text username and password in Basic auth. There are more secure protocol transports and methods, such as TLS and public key auth using SSL client certs. This or other options (e.g. OAuth) should be preferred over Basic or Digest auth.

Also available in: Atom