Support SCRAM-SHA-1, SCRAM-SHA-256 and SCRAM-SHA-512 🔐 #1
Comments
alexanderadam
changed the title
|
Thanks @alexanderadam. I did the development and testing against ejabberd and that didn't support such SASL methods. I'll try to put some effort into looking into the specs and find some servers which support this mechanism for testing purposes. |
|
Maybe it would make sense to add a There are various example available already (i.e. for ejabberd or prosody). This way you could easily spin up a server in development and configure it like you want (i.e. ejabberd for Maybe it would even make sense to test the same image(s) on a CI system that's free for Free Software (i.e. Travis or CircleCI). This way you (and of course also other developers) could just spin up a local server with Or record XMPP requests with VCR.cr and use the records in specs (this would be much faster of course. And I don't know if you know it already but there's a wonderful spec library for Crystal called Spectator. It's maintainer is currently adding stubbing and mocking support to it which might come handy, too (I mention this because it's obviously easier to switch a test suite in early staged of a project). PS: I see that the major servers have support for PPS: @naqvis I added EDIT: It seems that at least these servers are able to do
|
|
|
I'll be adding |
|
@naqvis: Why this old DIGEST-MD5 and not more secure SCRAM? |
|
@Neustradamus |
|
@naqvis: Yes of course but it must not privilegied, SCRAM is better... Please look:
|
|
Will be updating repo sometime this week with below listed SASL mechansims
DON'T have any plan to implement and support external channel bindings or Will comment, once updates are committed to repo. |
|
Updated repo with latest changes to support requested SASL Auth mechanisms. |
|
You are unbelievable. I can't test this but I will close this for now (we could open this later on anyway if something is missing I guess). Again: thank you so much! 🙏 |
alexanderadam
changed the title
|
@naqvis: Nice job! |
|
Thanks @Neustradamus |
|
@naqvis, @alexanderadam: What is missing/needed for -PLUS variant? Have you found problems with SCRAM-SHA-512 with:
|
|
@Neustradamus I guess nothing is needed if you are gonna provide a PR. 👍 I'm sure naqvis would be happy to accept it. |
|
Warmly welcome PR |
|
@naqvis, @alexanderadam: OK one day maybe... Can you test SCRAM-SHA-256 and SCRAM-SHA-512 with:
-> Observations? |
|
@naqvis, @alexanderadam: After 1/256/512, can you add 224/384 too and SCRAM-SHA3-512?
|
|
Dear all, @naqvis, @alexanderadam, I wish you a Happy New Year 2024! Improvements can be done? |
First of all: thank you so much for your work! 🙏
It would be nice if those authentication methods would be supported:
SCRAM🔐SCRAM-SHA-1SCRAM-SHA-256SCRAM-SHA-512DIGEST-MD5(it's considered insecure and therefore obsolete nowadays but AFAIK it is still the most common mechanism)See also XMPP wiki
PS: Just to be sure: the strongest variants should obviously be preferred because SHA-1 (see RFC 4270 and RFC 6194) and MD5 (RFC 6331) are considered obsolete
PPS: I'm not sure whether it's worth anything but Kafka and MongoDB also use
SCRAMfor authentication. Therefore the Ruby Kafka client and the Ruby MongoDB driver could be used as an inspiration.The text was updated successfully, but these errors were encountered: