Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove historic CRAM-MD5 mechanism #107675

Open
Neustradamus opened this issue Aug 6, 2023 · 7 comments
Open

Remove historic CRAM-MD5 mechanism #107675

Neustradamus opened this issue Aug 6, 2023 · 7 comments
Labels
topic-email type-feature A feature request or enhancement type-security A security issue

Comments

@Neustradamus
Copy link

Neustradamus commented Aug 6, 2023
edited by bedevere-bot

Can you remove CRAM-MD5 from the code?

It is unsecure:

Thanks in advance.

Linked PRs
@Neustradamus Neustradamus added the type-feature A feature request or enhancement label Aug 6, 2023
@Agent-Hellboy
Copy link
Contributor

if salted CRAM solves the problem then I can try to implement it.

@Agent-Hellboy
Copy link
Contributor

Agent-Hellboy commented Aug 6, 2023
edited

response from the Gmail server, I guess very few servers must be responding(configured) with CRAM-MD5

{'size': '35882577', '8bitmime': '', 'auth': ' LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH', 'enhancedstatuscodes': '', 'pipelining': '', 'chunking': '', 'smtputf8': ''}

are XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH being handled from imaplib these days, and do we just need to remove CRAM-MD5 from smtplib?

If salted CRAM solves the problem then I can try to implement it.

I guess not required, we can share a PLAIN password over SSL.

do we need to remove it from imaplib as well?
https://github.com/python/cpython/blob/71a7c96ffeb0d7fef06be3e57468896e030967a5/Lib/imaplib.py#L617C1-L631C78

@Neustradamus
Copy link
Author

@Agent-Hellboy: Yes it can be removed from all, IMAP/SMTP and other places:

Please note that LOGIN has been replaced by PLAIN but PLAIN can not be used without a secure connection.

@Agent-Hellboy
Copy link
Contributor

Sure, I will raise a PR to remove these instances and will update the docs.

@bedevere-bot bedevere-bot mentioned this issue Aug 13, 2023
Open
Agent-Hellboy added a commit to Agent-Hellboy/cpython that referenced this issue Aug 13, 2023
@Agent-Hellboy
pythongh-107675: Remove historic auth mechanism login_cram_md5
9319a44
@bedevere-bot bedevere-bot mentioned this issue Aug 13, 2023
Open
@AA-Turner
Copy link
Member

@Agent-Hellboy -- if there is consensus to remove these algorthims (none exists currently) we will need to go through the standard deprecation process (see PEP-387), which would be to deprecate now (Python 3.13) and remove any functionality no earlier than Python 3.15. Please could you update your pull requests to note the deprecation, but not remove any functionality?

(Note as before, the removal of these algorthims hasn't been agreed yet, but if removal is agreed we would need to deprecate first).

A

@Agent-Hellboy
Copy link
Contributor

if there is consensus to remove these algorthims (none exists currently) we will need to go through the standard deprecation process (see PEP-387), which would be to deprecate now (Python 3.13) and remove any functionality no earlier than Python 3.15

sure, I will read the PEP and make the changes in PR.

(Note as before, the removal of these algorthims hasn't been agreed yet, but if removal is agreed we would need to deprecate first).

I will post this in the discourse to see if people agree, if not I will close the PR

@hugovk
Copy link
Member

hugovk commented Aug 13, 2023

For reference, the Discourse topic:

https://discuss.python.org/t/should-we-deprecate-the-historic-cram-md5-mechanism-from-smtplib-and-imaplib/31556?u=hugovk

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic-email type-feature A feature request or enhancement type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Neustradamus @hugovk @AA-Turner @Agent-Hellboy