Re: MD5 authentication needs help

On Wed, Mar 4, 2015 at 4:52 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:

>
> A lot of discussion has been going on with SCRAM and SASL, which is all
> great, but that means we end up with a dependency on SASL or we have to
> reimplement SCRAM (which I've been thinking might not be a bad idea-
> it's actually not that hard), but another suggestion was made which may
>

I'd really rather not add a dependency on SASL if we can avoid it. I
haven't read up on SCRAM, but if it's reasonable enough to reimplement - or
if there is a BSD licensed implementation that we can import into our own
sourcetree without adding a dependency on SASL, that sounds like a good way
to proceed.

> be worthwhile to consider- OpenSSL and GnuTLS both support TLS-SRP, the
> RFC for which is here: http://www.ietf.org/rfc/rfc5054.txt. We already
> have OpenSSL and therefore this wouldn't create any new dependencies and
> might be slightly simpler to implement.
>

OpenSSL is not a *requirement* today, it's an optional dependency. Given
it's license we really can't make it a mandatory requirement I think. So if
we go down that route, we still leave md5 in there as the one that works
everywhere.

Also AFAICT TLS-SRP actually requires the connection to be over TLS - so
are you suggesting that TLS becomes mandatory?

It sounds like something that could be interesting to have, but not as a
solution to the "md5 problem", imo.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/