I'm hoping somebody can independently whip up a test to confirm, but I think
the SHA1 implementation in Apache in broken for 64-bit platforms.

I had written an HMAC implementation using it (for mod_auth_bsd), and was
getting different HMAC's for the same inputs. So, then I tried a straight
hash of a static string and am still getting different outputs everytime. It
seems so improbable, so I'm hoping somebody could throw together a test to
confirm. In the mean time I'll try to pull out the SHA1 code and try testing
it outside of my module (in case my module is doing something funky).

I'm not very adept at bit twiddling, so I can't examine the Apache code
directly w/ any confidence.

MD5 seems to work find, BTW.

- Bill