Closed daniel-widrick closed 1 year ago
Despite the RFC saying that if the algorithm is unspecified it's ASSUMED to be md5... The quoted section below MAY suggest it's a bug for the algorithm to be included when not specified by the server?
"The values of the opaque and algorithm fields must be those supplied in the WWW-Authenticate response header for the entity being requested."
https://datatracker.ietf.org/doc/html/rfc2617#section-3.2.2
Edit: I've reached out to the dev for the digest_auth crate via email... I was unable to get access to the relevant issue tracker on the gitea instance that hosts the library.
Hey Daniel,
sorry for late reply, do not have too much time to put into this project currently. Any news from the digest_auth
author?
:v:
I did reach out to the digest_auth dev. I also worked on this some more... I was able to remove the algorithm parameter from a request but the problem remains with the Mikrotik switch.
These requests all validate with third party tools. I've submitted a ticket to Mikrotik about the underlying issue.. but am not super hopeful on a reasonable response.
This could probably be closed. I doubt the problem exists outside of Mikrotik's implementation in SwOS.
Oh, ok, feel free to open it again or even come up with a PR when diqwest
can solve the issue.
I'm working on a program to log into the web interface of a Mikrotik Switch.
The authentication is failing with diqwest. The authentication works as expected in a browser / with curl.
I created a VERY simple program(golang) to act as an http server and ALWAYS send the same
WWW-Authenticate
Header:The Curl Test command:
curl -vvv --digest -u "admin:admin" http://127.0.0.1:8099/hello
and the Rust diqwest code:
Below are the headers received by the server:
qop is auth and the algorithm is unspecified.
HA1 should be: 903fda724aba1586c086fdbed1e7eeb0 HA2 should be: 87969d867ee02588e3220f2c3b0ad34b
cURL's response should be: 9b919621bc520ba65b54b9ae73039d17 diqwest's response should be: 2c1604f23e48d28111d47e33b81a3d13
is it possible that the additional "algorithm=MD5" header is messing up the auth algorithm in SwitchOS?