[vlc-devel] [PATCH] http access: retain auth struct for the runtime of the module
Felix Paul Kühne
fkuehne at videolan.org
Sat Sep 15 18:17:42 CEST 2018
Hi Rémi,
> On 15. Sep 2018, at 15:04, Rémi Denis-Courmont <remi at remlab.net> wrote:
>
> Le vendredi 14 septembre 2018, 20:08:43 EEST Felix Paul Kühne a écrit :
>> The problem of 9bc4991e is that while Basic Authentication works just fine,
>> Digest Authentication will fail as all Digest information is lost on the
>> reconnections.
>
> And that's completely irrelevant.
>
> MD5 in HTTP Digest actually should be dropped properly to prevent downgrade
> attacks, just like it was already dropped in TLS. And it won't be missed since
> NTLM essentially took that "market segment" (even if NTLM is worse in some
> ways than Digest). Literally, I have seen HTTP Digest-MD5 used exactly once in
> twenty years on the Internet, and that's when I enabled in it in my Apache
> server for experimenting.
>
> And then non-broken hash in HTTP Digest, while it has been specified, does not
> seem to be even supported by anybody, including VLC.
This makes a lot of sense. Regrettably, the stream in question is served by a popular surveillance camera type, which will not receive any software updates. Therefore, it would be nice to find a solution for it as technically this is a regression from the 2.2 branch albeit unintended. Let’s maybe discuss this in person next weekend :)
> Meanwhile, this patch is an unauthorized revert and reintroduce a memory leak.
> Please undo.
This was already done yesterday.
Best regards,
Felix
More information about the vlc-devel
mailing list