List:General Discussion« Previous MessageNext Message »
From:Noel Butler Date:March 7 2011 11:31pm
Subject:Re: mysql apache md5
View as plain text  
On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:

> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, let alone a
> salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part of the
> build kit for apache modules.
> 
> I strongly suspect your problem is on another level.
> 
> 


Actually, he is correct. Though, the Apache variant of md5 is a chosen
improved security method, it really shouldn't be called MD5 since it is
not compatible with, well, base MD5 :)

http://httpd.apache.org/docs/2.2/misc/password_encryptions.html

MD5

        "$apr1$" + the result of an Apache-specific algorithm using an
        iterated (1,000 times) MD5 digest of various combinations of a
        random 32-bit salt and the password. See the APR source file
        apr_md5.c for the details of the algorithm.
        


MD5

$ openssl passwd -apr1 myPassword
$apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0 


I agree Apache should probably not be calling it MD5. Perhaps it needs
renaming and MD5 as we all know it, be, MD5.

and for this reason I will xpost to devs list for some clear (maybe)
explanation as to why it was called this.

I don't think Edward's questioning is unreasonable, given the popularity
of LAMP combination, they are touted to work hand in hand, but as he
pointed out, they are not, even exampled by openssl wanting -apr1  not
-md5 to be compatible, so I can see how
this would be a problem with MySQL insert of md5(foo)  not be recognised
by an Apache md5 wanting.


Noel





> ----- Original Message -----
> > From: "Edward avanti" <edward.avanti@stripped>
> > To: mysql@stripped
> > Sent: Monday, 7 March, 2011 5:54:02 AM
> > Subject: Re: mysql apache md5
> > 
> > everything to do with mysql
> > I try make it clearer, sorry for not so in first post
> > 
> > customer relationship manager add users into mysql
> > we want not to use apache auth of encrypt, but use md5 for longer
> > password
> > apache use variant of md5, called md5 -apr, but mysql md5  only uses
> > the -1
> > type
> > so, when CRM add userlike
> > INSERT INTO users  (..other....`appass`) values  (...other...
> > 'MD5('$PASS')
> >   ....
> > the md5 -1 that mysql uses is not compatible so apache auth fail. the
> > variant is apaprently add
> > $apr1$<up to 8 chars>$md5passwordhere,
> > making allabove line the salted md5.
> > I try to get mysql and apache to play nice, but thy do not because
> > mysql and
> > apache not use same method, hence my attempt to work around, even SHA
> > same
> > affect, i am try use anything but DES encrypt('$PASS')
> > sadly that only thing that work happily witrh each other.
> > openssl have ability to do this so not sure why mysql not have option
> > 
> > Sure someone had same problem and simple work around to have mysql
> > use
> > correct md5, but no google fu work
> > 
> 
> -- 
> Bier met grenadyn
> Is als mosterd by den wyn
> Sy die't drinkt, is eene kwezel
> Hy die't drinkt, is ras een ezel
> 



Attachment: [text/html]
Attachment: [text/html]
Attachment: [application/pgp-signature] This is a digitally signed message part signature.asc
Attachment: [application/pgp-signature] This is a digitally signed message part signature.asc
Thread
mysql apache md5Edward avanti6 Mar
  • Re: mysql apache md5Reindl Harald6 Mar
    • Re: mysql apache md5Edward avanti7 Mar
      • Re: mysql apache md5Johan De Meersman7 Mar
        • Re: mysql apache md5Noel Butler8 Mar