Re: [squid-users] Squid negotiate authentication digest/basic

From: FredB <fredbmail_at_free.fr>
Date: Mon, 18 Feb 2013 15:10:49 +0100 (CET)

>
> I found something strange with nonce, the nonce seems never change
> nonce_max_count
>
> auth_param digest nonce_max_count 10
> auth_param digest check_nonce_count yes
> auth_param digest nonce_strictness on
>
> http://www.squid-cache.org/Doc/config/auth_param/
>
> With wireshark I'm seeing my nonce like nonce="a7qcucileAouwvp6" ok
> no problem, but it still the same after many requests (hundred)
>
> I also tested with auth_param digest nonce_max_duration 2 minutes, I
> need reload my ID/password.
>
> A bug ? or misunderstanding ?
>
> Thanks
>
>

I opened a new bug, with also a fix, here http://bugs.squid-cache.org/show_bug.cgi?id=3782
I think that It's a potential security problem about replay attacks

Regards Fred
Received on Mon Feb 18 2013 - 14:11:04 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 18 2013 - 12:00:03 MST