-
-
Notifications
You must be signed in to change notification settings - Fork 16
SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) supports #51
Comments
SCRAM-SHA-256 support should be easy to add. Thanks for the RFC links! |
@COM8 Thanks for all commits that you have done about SCRAM-SHA-256! |
It is possible to add for 512 too? |
Hmmm, well it would be really easy to add support for the 512 variants too, but I don't think it's that useful since everything using SHA-1 is basically deprecated at this point (Reference). It also is not proven, that it provides more security in any way (If the mechanism is broken why should increasing the iterations count improve security?). An other point is: You can use SCRAM-SHA-1 as auth method and send an iteration count >= 4096 to your clients because the "number" only handles the min iterations count that is required. Do you know any server that actually supports the Let me think about it for a couple of days and I will come back to it then. Thanks for your suggestion! |
List here: scram-sasl/info#1 |
OK I will add support for it, since it's quiet easy to do. Do you have any RFC for it? Can't find any. |
Only RFCs cited before. |
From RFC8600: "When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]". |
If this is the TLDR out of the paper - sure yes, that's true 😄 . |
XMPP servers remove the old history unsecured MD5 support, any news on it? |
Nope. I've never actually implemented
|
Can you add other SCRAM possibilities? |
The non PLUS variants are easy to add, but for the PLUS variants I need to pass the server certificate to the mechanism which is not possible right not. |
@Neustradamus, Thanks. |
@COM8: Can you add 512 like others? |
512 as I can see it, yes. But the PLUS variants are not. |
SCRAM-SHA-512, and maybe SCRAM-SHA3-512 too? Yes I know, PLUS variants is different... |
Don't know right now. I have to have a look into it. |
Just a small update from my side on this. |
@COM8: Are you sure that SCRAM-SHA-512 can not be added? And SCRAM-SHA3-512 too? Linked to: |
"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".
There is only SCRAM-SHA-1, can you add support for?
SCRAM-SHA-1-PLUS:
-- https://tools.ietf.org/html/rfc5802
-- https://tools.ietf.org/html/rfc6120
SCRAM-SHA-256(-PLUS):
-- https://tools.ietf.org/html/rfc7677 since 2015-11-02
-- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA
SCRAM-SHA-512(-PLUS):
-- https://tools.ietf.org/html/draft-melnikov-scram-sha-512
SCRAM-SHA3-512(-PLUS):
-- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512
https://xmpp.org/extensions/inbox/hash-recommendations.html
-PLUS variants:
LDAP:
HTTP:
2FA:
IANA:
Linked to:
The text was updated successfully, but these errors were encountered: