Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RPC: Avoid cleartext passwords by default #1986

Closed
wants to merge 2 commits into from
Closed

RPC: Avoid cleartext passwords by default #1986

wants to merge 2 commits into from

Commits on Nov 16, 2012

  1. RPC: Avoid cleartext passwords by default 

    Although in theory RPC API access should be locked down, there are
occasions where cleartext passwords have been used anyway.

HTTP Basic authentication remains, but a new default "Bitcoin" HTTP
Authorization header is used.  HTTP Digest authentication was considered
initially, but that may require additional HTTP round-trips.  The standard
HMAC-SHA256 algorithm pair was chosen instead, with some additional stirring
factors (random nonce, time).

The HTTP server will accept Basic or Bitcoin authentication now.

The HTTP client will attempt Bitcoin authentication, and fall back to
Basic if that fails.
    Jeff Garzik authored and Jeff Garzik committed Nov 16, 2012
    Copy the full SHA
    a4305bf View commit details
    Browse the repository at this point in the history

  2. RPC: clamp HTTP auth timestamp to +/- 60 seconds

    Jeff Garzik authored and Jeff Garzik committed Nov 16, 2012
    Copy the full SHA
    010cc65 View commit details
    Browse the repository at this point in the history