SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) supports #354
Comments
|
I will look into this, thanks for the report. |
|
Dear @cypht-org team, Have you progressed since 2019? Thanks in advance. |
|
Thank you for the follow up. AFAIK, no progress has been made on this specific issue. But we've just released a major version with tons of new features and fixes. And we've moved the project to an organization to facilitate work by various developers. Ref.: https://unencumberedbyfacts.com/2023/06/14/cypht-rebooted/ @josaphatim What do you think? |
|
@marclaporte: Excellent news! Hope it will be possible to have more security in your other projects too :) |
|
Hehe, yeah :-) |
|
@Danelif please advise. |
|
I will look into this and give report |
|
@marclaporte I have read all the documentation provided above and in my opinion for cypht, SCRAM-SHA-256-PLUS is suitable. Unfortunately, there is no much documentation apart from the Internet Engineering Task Force (IETF). |
|
@Danelif: Yes, PostgreSQL supports SCRAM-SHA-256 and SCRAM-SHA-256-PLUS and a lot of others projects/softs/libs/... @marclaporte: I have tried to contact you in private by e-mail, by Twitter (public message because DM is not opened for you), can you reply me? Thanks in advance. |
Done |
|
@Danelif Do you feel comfortable to prepare a pull request? |
|
@marclaporte yes I do |
|
ok, please proceed |
|
@marclaporte, @Danelif: Can you look SCRAM with Auth_SASL/Auth_SASL2? It will be nice to have before a new release... |
|
@Neustradamus okay let me take a look |
|
@Danelif: Nice, good job! Can you add other SCRAM too? |
|
@Neustradamus alright |
|
@Danelif: Note that there are two connection possibilities by SCRAM, example for 256:
It will be perfect to have support of: SHA-1/SHA-256/SHA-512/SHA3-512. Note: If you can add the -PLUS variant support into Auth_SASL/Auth_SASL2, it will be a big enhancement to have a full compatibility and will profit to several projects in the World. |
|
i just finished to include all SCRAM SHA in the code base |
|
This PR has been merged so can i remove CRAM-MD5 (#1063) in cypht now ? @marclaporte @Neustradamus |
|
Wait. Is there a use case that the more advanced mechanisms would not be used? If system always uses more secure mechanisms, it should never fall back to CRAM-MD5 |
|
Say the mail server only supports plain and CRAM-MD5, it's surely better to use CRAM-MD5 instead of plain? |
|
At the same time of CRAM-MD5 removal, it is possible to remove LOGIN too. The latest possibility for "old servers" is PLAIN with TLS. |
|
I'd deprecate and use as a last resort for now. If big clients/servers haven't removed it yet, there might be a strong reason to. I understand the protocol is outdated and moved to a historic state but completely removing the authentication protocols might actually drop support for certain servers/users/use-cases. |
Dear @cypht-org team,
For more security, can you add supports of :
You can add too:
A "big" list has been done in last link of this ticket.
SCRAM-SHA-1(-PLUS):
SCRAM-SHA-256(-PLUS):
SCRAM-SHA-512(-PLUS):
SCRAM-SHA3-512(-PLUS):
-PLUS variants:
IMAP:
LDAP:
HTTP:
2FA:
IANA:
Linked to:
The text was updated successfully, but these errors were encountered: