https://redmine.lighttpd.net/https://redmine.lighttpd.net/favicon.ico?13667327412016-05-01T06:44:06Zlighty labsLighttpd - Feature #806: implementation of digest auth MD5-sess does not conform to rfc2617https://redmine.lighttpd.net/issues/806?journal_id=95032016-05-01T06:44:06Zgstrauss
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/9503/diff?detail_id=7537">diff</a>)</li><li><strong>Category</strong> changed from <i>core</i> to <i>mod_auth</i></li><li><strong>Assignee</strong> deleted (<del><i>jan</i></del>)</li></ul> Lighttpd - Feature #806: implementation of digest auth MD5-sess does not conform to rfc2617https://redmine.lighttpd.net/issues/806?journal_id=97262016-06-15T18:15:00Zgstrauss
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/1844">Bug #1844</a>: Serious security problem in Digest Authentication</i> added</li></ul> Lighttpd - Feature #806: implementation of digest auth MD5-sess does not conform to rfc2617https://redmine.lighttpd.net/issues/806?journal_id=97292016-06-16T05:32:40Zgstrauss
<ul><li><strong>Target version</strong> set to <i>1.4.41</i></li></ul> Lighttpd - Feature #806: implementation of digest auth MD5-sess does not conform to rfc2617https://redmine.lighttpd.net/issues/806?journal_id=97312016-06-18T03:24:50Zgstrauss
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Wontfix</i></li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>Low</i></li><li><strong>Target version</strong> deleted (<del><i>1.4.41</i></del>)</li></ul><p>Related issue <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Serious security problem in Digest Authentication (Fixed)" href="https://redmine.lighttpd.net/issues/1844">#1844</a> will be fixed in lighttpd 1.4.41</p>
<p>Digest algorithm="md5" is the default and will be implemented in lighttpd 1.4.41 mod_auth (not yet released)</p>
<p>Digest algorithm="md5-sess" is not correctly implemented in lighttpd, and so its use is not recommend.<br /><a class="external" href="https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModAuth">https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModAuth</a> will be updated to state this explicitly.</p>
<p>Please note that as this is being written, Apache mod_auth_digest does not implement algorithm="md5-sess" either.<br /><a class="external" href="https://httpd.apache.org/docs/trunk/mod/mod_auth_digest.html">https://httpd.apache.org/docs/trunk/mod/mod_auth_digest.html</a></p>
<blockquote>
<p>MD5-sess is not correctly implemented yet.</p>
</blockquote>
<p>RFC7616 changes the required Digest algorithm to SHA2-256 but allows MD5 algorithm for backwards compatibility. Therefore, there are no plans to implement Digest algorithm="md5-sess". (In the future, SHA2-256 may be implemented in mod_auth.)</p>
<p>Please note that Digest auth is not cryptographically secure. It exists merely to be a better choice than Basic auth, addressing the security design flaw of passing clear-text username and password in Basic auth. There are more secure protocol transports and methods, such as TLS and public key auth using SSL client certs. This or other options (e.g. OAuth) should be preferred over Basic or Digest auth.</p>