[vlc-devel] [PATCH] http access: retain auth struct for the runtime of the module

Felix Paul Kühne fkuehne at videolan.org
Sat Sep 15 18:17:42 CEST 2018

Hi Rémi,

> On 15. Sep 2018, at 15:04, Rémi Denis-Courmont <remi at remlab.net> wrote:
> Le vendredi 14 septembre 2018, 20:08:43 EEST Felix Paul Kühne a écrit :
>> The problem of 9bc4991e is that while Basic Authentication works just fine,
>> Digest Authentication will fail as all Digest information is lost on the
>> reconnections.
> And that's completely irrelevant.
> MD5 in HTTP Digest actually should be dropped properly to prevent downgrade 
> attacks, just like it was already dropped in TLS. And it won't be missed since 
> NTLM essentially took that "market segment" (even if NTLM is worse in some 
> ways than Digest). Literally, I have seen HTTP Digest-MD5 used exactly once in 
> twenty years on the Internet, and that's when I enabled in it in my Apache 
> server for experimenting.
> And then non-broken hash in HTTP Digest, while it has been specified, does not 
> seem to be even supported by anybody, including VLC.

This makes a lot of sense. Regrettably, the stream in question is served by a popular surveillance camera type, which will not receive any software updates. Therefore, it would be nice to find a solution for it as technically this is a regression from the 2.2 branch albeit unintended. Let’s maybe discuss this in person next weekend :)

> Meanwhile, this patch is an unauthorized revert and reintroduce a memory leak. 
> Please undo.

This was already done yesterday.

Best regards,


More information about the vlc-devel mailing list