Re: Digest Access Authentication probably broken

Hello Henryk,

Looking at my code comments, I noted that we don't handle auth-int. The
case where the server sends both values must be something we never tried
before. So it must be a bug.

Can you tell me which server you were using or open me an access so that
I can debug and fix this problem? The latter would be the fastest.


On Sat, Mar 29, 2003 at 06:49:38AM +0100, Henryk Pl?tz wrote:
> I've been playing around with Amaya 7.2 under Gentoo Linux with kernel
> 2.4.20 and Digest Access Authentication. But as soon as the server
> started sending qop="auth, auth-int" in it's WWW-Authenticate response
> header, Amaya was unable to authenticate any longer while Mozilla worked
> fine.
> By modifying the server code I found that Amaya uses "auth, auth-int"
> (without the quotes of course) as value for unq(qop-value) in the
> calculation of the request-digest (RFC 2617, section, while RFC
> 2617 clearly states that it "... MUST be one of the alternatives the
> server indicated it supports in the WWW-Authenticate header. [...] Note
> that this is a single token, not a quoted list of alternatives as in
> WWW-Authenticate." (section 3.2.2)
> So, if I'm not mistaken this is a bug in Amaya, isn't it?


Received on Thursday, 10 April 2003 06:22:50 UTC