Hi all. It seems that current digest authentication doesn't supportsA1 calculation. Is there any plan when this is implemented? Regards, furaisanjin
furaisanjin wrote:
It seems that current digest authentication doesn't supportsA1 calculation. Is there any plan when this is implemented?
Is there a site that isn't working? a_Digest_compute_digest() calculates A1 for MD5 and MD5-sess, but I disabled digest auth for MD5-sess in Auth_parse_digest_challenge_cb() because http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#authdigestalgorith... said "MD5-sess is not correctly implemented yet", which prevented me from giving it much testing.
2011/10/11 corvid <corvid at lavabit.com>:
Is there a site that isn't working?
http://x68000.q-e-d.net/~68user/net/sample/http-auth-digest/secret.html This is just a test page and user name is hoge and password is fuga.
a_Digest_compute_digest() calculates A1 for MD5 and MD5-sess, but I disabled digest auth for MD5-sess in Auth_parse_digest_challenge_cb() because http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#authdigestalgorith... said "MD5-sess is not correctly implemented yet", which prevented me from giving it much testing.
RFC 2617 (http://www.faqs.org/rfcs/rfc2617.html) mentions how A1 is calculated in 3.2.2.2 and MD5-sess requires more parameters and A1 is calculated only once but A1 is also calculated for MD5 and none specified algorithm. Regards, furaisanjin
furaisanjin wrote:
2011/10/11 corvid <corvid at lavabit.com>:
Is there a site that isn't working?
http://x68000.q-e-d.net/~68user/net/sample/http-auth-digest/secret.html
This is just a test page and user name is hoge and password is fuga.
It seems to work for me. I give user and pass, and then it shows me a page with "Digest" and some Japanese text that I don't know how to read.
a_Digest_compute_digest() calculates A1 for MD5 and MD5-sess, but I disabled digest auth for MD5-sess in Auth_parse_digest_challenge_cb() because http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#authdigestalgorith... said "MD5-sess is not correctly implemented yet", which prevented me from giving it much testing.
RFC 2617 (http://www.faqs.org/rfcs/rfc2617.html) mentions how A1 is calculated in 3.2.2.2 and MD5-sess requires more parameters and A1 is calculated only once but A1 is also calculated for MD5 and none specified algorithm.
This is what a_Digest_compute_digest() does.
Sorry about confusion. 2011/10/11 corvid <corvid at lavabit.com>:
furaisanjin wrote:
2011/10/11 corvid <corvid at lavabit.com>:
Is there a site that isn't working?
http://x68000.q-e-d.net/~68user/net/sample/http-auth-digest/secret.html
This is just a test page and user name is hoge and password is fuga.
It seems to work for me. I give user and pass, and then it shows me a page with "Digest" and some Japanese text that I don't know how to read.
Originally I detected digest authentication problem with my DVD recorder. I put some debug code to see the behavior but I put extra quote like algorithm="MD5". This caused the problem to access the page mentioned above.
a_Digest_compute_digest() calculates A1 for MD5 and MD5-sess, but I disabled digest auth for MD5-sess in Auth_parse_digest_challenge_cb() because http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#authdigestalgorith... said "MD5-sess is not correctly implemented yet", which prevented me from giving it much testing.
RFC 2617 (http://www.faqs.org/rfcs/rfc2617.html) mentions how A1 is calculated in 3.2.2.2 and MD5-sess requires more parameters and A1 is calculated only once but A1 is also calculated for MD5 and none specified algorithm.
This is what a_Digest_compute_digest() does.
Yes, I was looking at wrong place. The problems of my DVD recorder are 1 it doesn't allow extra space characters between '='. 2 uri needs to have quote 3 the order of parameter seems to have strict rule (username, realm, nonce, uri, cnonce, nc, algorithm, response, qop) Both IE and firefox follow 1 and 2 but only IE follows 3. Regards, furaisanjin
furaisanjin wrote:
The problems of my DVD recorder are 1 it doesn't allow extra space characters between '='.
My impression has been that rfc 2617, following rfc 2616's rules, permits implied linear whitespace in such places. But we can take the spaces out.
2 uri needs to have quote
I was sure this was wrong. And it turns out that this is in the errata (http://www.rfc-editor.org/errata_search.php?rfc=2617) 'Errata ID: 2600 Status: Verified Type: Technical Reported By: Victor S. Osipov Date Reported: 2010-11-02 Verifier Name: Peter Saint-Andre Date Verified: 2011-07-14 Section 3.2.2 says: digest-uri = "uri" "=" digest-uri-value digest-uri-value = request-uri ; As specified by HTTP/1.1 It should say: digest-uri = "uri" "=" <"> digest-uri-value <"> digest-uri-value = request-uri ; As specified by HTTP/1.1 Notes: This is an error here that the digest-uri-value is not enclosed in quotation marks'
3 the order of parameter seems to have strict rule (username, realm, nonce, uri, cnonce, nc, algorithm, response, qop)
Both IE and firefox follow 1 and 2 but only IE follows 3.
We could try it and see whether all of the stupid software (or at least most of the stupid software) likes that order.
participants (2)
-
corvid@lavabit.com
-
furaisanjin@gmail.com