Re: DIGEST auth in Tomcat 9 — browsers sending SHA-256 to MD5 server, how to adapt?

Fri, 13 Dec 2024 02:23:59 -0800 

On 13/12/2024 00:39, DIGLLOYD wrote:

ISSUE: users cannot login to my site.
CAUSE: Firefox and Chrome are sending SHA-256 DIGEST auth, which is MD5 (Safari 
uses MD5 which is working fine)

Details:
- Tomcat 9.0.98
- DIGEST auth using MD5
- has been working for 15+ years just fine.
- have read all available Tomcat docs, searched web for answers, etc.

Debugging so far:

Custom Realm in use purpose of managing auth info, but it otherwise defers to 
org.apache.catalina.realm.RealmBase.
CredentialHandler: eg <CredentialHandler 
className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5"  
/>


So you have DIGEST authentication with digested credentials.
That will work as long as DIGEST authentication uses the same digest as the credentials. In this case: MD5.
By default, Tomcat advertises support for both SHA-256 and MD5 with DIGEST authentication. Browsers should choose SHA-256 given those options. To change that, you need to set the algorithms attribute for the DIGEST authentication Valve to "MD5" so the Valve only advertises MD5. 

https://tomcat.apache.org/tomcat-11.0-doc/config/valve.html#Digest_Authenticator_Valve

Note the comment in the introduction to that section.

Mark




By instrumenting this realm, I have determined the following:

- Firefox and Chrome are sending  SHA-256 DIGEST to my server, which is using 
MD5.  Guaranteed failure since wrong digest.
- Safari is sending MD5, which works fine
- Realm uses standard

Thoughts:

I would have thought that Tomcat would be replying to a client by advertising 
the correct algorithm.

Possibilities:
1.  Tomcat is not properly advising the client that MD5 is required.
2.  The spec is somehow deficient so that client and server do not know what is 
required.
3.  The clients (Firefox and Chrome) are doing it wrong.
4.  Something needs to be configured that I have not configured.

Lloyd Chambers




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to