-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for SHA-256/512 and/or SHA-3 for password based authentication #3159
Comments
/close as duplicate #2742 Also, are you sure SCRAM-SHA1 really has the same weaknesses as SHA1? |
Hi @licaon-kter, I honestly don't know the difference between SHA-1 and SCRAM-SHA-1. |
@processone: Can you reopen #2742, it is always closed... @bowlofeggs: RFC5208 -> https://tools.ietf.org/html/rfc5802 |
Good news, there are new informations:
Note, after SCRAM-SHA-1(-PLUS):
|
@bowlofeggs: @prefiks has done a lot of work about SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS). SCRAM-SHA3-512(-PLUS) will be added, I think, when the RFC will be here, draft link in the previous comment. |
@bowlofeggs: New improvements have been added recently! |
Greetings!
Is it possible to use SHA-256/512 or SHA-3 for password based authentication, in lieu of SHA-1 or MD5? When reading the docs here, it seems like SHA-256/512 are not supported:
https://docs.ejabberd.im/admin/configuration/#internal
If that is the case, I recommend adding a stronger hash to the list of supported authentication algorithms. SHA-1 is known to be weak, and it is thus not recommended to use it anymore.
The text was updated successfully, but these errors were encountered: