Add support for SHA-256/512 and/or SHA-3 for password based authentication #3159
Labels
Comments
|
/close as duplicate #2742 Also, are you sure SCRAM-SHA1 really has the same weaknesses as SHA1? |
|
Hi @licaon-kter, I honestly don't know the difference between SHA-1 and SCRAM-SHA-1. |
|
@processone: Can you reopen #2742, it is always closed... @bowlofeggs: RFC5208 -> https://tools.ietf.org/html/rfc5802 |
|
Good news, there are new informations:
Note, after SCRAM-SHA-1(-PLUS):
|
|
@bowlofeggs: @prefiks has done a lot of work about SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS). SCRAM-SHA3-512(-PLUS) will be added, I think, when the RFC will be here, draft link in the previous comment. |
|
@bowlofeggs: New improvements have been added recently! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Greetings!
Is it possible to use SHA-256/512 or SHA-3 for password based authentication, in lieu of SHA-1 or MD5? When reading the docs here, it seems like SHA-256/512 are not supported:
https://docs.ejabberd.im/admin/configuration/#internal
If that is the case, I recommend adding a stronger hash to the list of supported authentication algorithms. SHA-1 is known to be weak, and it is thus not recommended to use it anymore.
The text was updated successfully, but these errors were encountered: