Any way to monitor an http type that has digest authentication?
I've tried using user policies and password, but without success.
It looks like go's HTTP client doesn't support digest, but there is a proposal here. So, we'd have to do a custom implementation.
I should note that HTTP digest is an old insecure standard, using a long deprecated hashing algorithm (MD5), is vulnerable to MITM attacks, and provides few of the protections TLS/SSL provides. I assume you're testing against software that only provides digest auth, but if it does provide another form (say, basic over TLS), that would work today.
I've opened a github issue to track this here: https://github.com/elastic/beats/issues/15837
We would accept a patch for it, but given that this is the fist time we've seen a request for it, it probably won't be something we prioritize or build anytime soon given that it is no longer a best practice and is not something in wide use.
1 Like
Thanks for this information, monitoring is on a legacy system, and there is no possibility to change to another type of authentication.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.