-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) supports #354
Comments
I will look into this, thanks for the report. |
Dear @cypht-org team, Have you progressed since 2019? Thanks in advance. |
Thank you for the follow up. AFAIK, no progress has been made on this specific issue. But we've just released a major version with tons of new features and fixes. And we've moved the project to an organization to facilitate work by various developers. Ref.: https://unencumberedbyfacts.com/2023/06/14/cypht-rebooted/ @josaphatim What do you think? |
@marclaporte: Excellent news! Hope it will be possible to have more security in your other projects too :) |
Hehe, yeah :-) |
@Danelif please advise. |
I will look into this and give report |
@marclaporte I have read all the documentation provided above and in my opinion for cypht, SCRAM-SHA-256-PLUS is suitable. Unfortunately, there is no much documentation apart from the Internet Engineering Task Force (IETF). |
@Danelif: Yes, PostgreSQL supports SCRAM-SHA-256 and SCRAM-SHA-256-PLUS and a lot of others projects/softs/libs/... @marclaporte: I have tried to contact you in private by e-mail, by Twitter (public message because DM is not opened for you), can you reply me? Thanks in advance. |
Done |
@Danelif Do you feel comfortable to prepare a pull request? |
@marclaporte yes I do |
ok, please proceed |
@marclaporte, @Danelif: Can you look SCRAM with Auth_SASL/Auth_SASL2? It will be nice to have before a new release... |
@Neustradamus okay let me take a look |
@Danelif: Nice, good job! Can you add other SCRAM too? |
@Neustradamus alright |
@Danelif: Note that there are two connection possibilities by SCRAM, example for 256:
It will be perfect to have support of: SHA-1/SHA-256/SHA-512/SHA3-512. Note: If you can add the -PLUS variant support into Auth_SASL/Auth_SASL2, it will be a big enhancement to have a full compatibility and will profit to several projects in the World. |
i just finished to include all SCRAM SHA in the code base |
This PR has been merged so can i remove CRAM-MD5 (#1063) in cypht now ? @marclaporte @Neustradamus |
Wait. Is there a use case that the more advanced mechanisms would not be used? If system always uses more secure mechanisms, it should never fall back to CRAM-MD5 |
Say the mail server only supports plain and CRAM-MD5, it's surely better to use CRAM-MD5 instead of plain? |
At the same time of CRAM-MD5 removal, it is possible to remove LOGIN too. The latest possibility for "old servers" is PLAIN with TLS. |
I'd deprecate and use as a last resort for now. If big clients/servers haven't removed it yet, there might be a strong reason to. I understand the protocol is outdated and moved to a historic state but completely removing the authentication protocols might actually drop support for certain servers/users/use-cases. |
Dear @cypht-org team,
For more security, can you add supports of :
You can add too:
A "big" list has been done in last link of this ticket.
SCRAM-SHA-1(-PLUS):
SCRAM-SHA-256(-PLUS):
SCRAM-SHA-512(-PLUS):
SCRAM-SHA3-512(-PLUS):
-PLUS variants:
IMAP:
LDAP:
HTTP:
2FA:
IANA:
Linked to:
The text was updated successfully, but these errors were encountered: