SCRAM-SHA-1(-PLUS) + SCRAM-SHA-224(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-384(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports

[Neustradamus]

Can you add supports of :

• SCRAM-SHA-1
• SCRAM-SHA-1-PLUS
• SCRAM-SHA-224
• SCRAM-SHA-224-PLUS
• SCRAM-SHA-256
• SCRAM-SHA-256-PLUS
• SCRAM-SHA-384
• SCRAM-SHA-384-PLUS
• SCRAM-SHA-512
• SCRAM-SHA-512-PLUS
• SCRAM-SHA3-512
• SCRAM-SHA3-512-PLUS

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

SCRAM-SHA-1(-PLUS):

• https://tools.ietf.org/html/rfc5802
• https://tools.ietf.org/html/rfc6120

SCRAM-SHA-256(-PLUS):

• https://tools.ietf.org/html/rfc7677 since 2015-11-02
• https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

SCRAM-SHA-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha-512

SCRAM-SHA3-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:

• https://tools.ietf.org/html/draft-melnikov-scram-bis

-PLUS variants:

• RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
• RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
• Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
• Channel Bindings for TLS 1.3: https://datatracker.ietf.org/doc/html/rfc9266

IMAP:

• RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051

LDAP:

• RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

• RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804

JMAP:

• RFC8621: The JSON Meta Application Protocol (JMAP) for Mail: https://tools.ietf.org/html/rfc8621

2FA:

• Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-melnikov-scram-2fa

IANA:

• Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Linked to:

• https://github.com/scram-xmpp/info/issues/1
• https://github.com/smiley22/S22.Xmpp/issues/16
• https://github.com/pgstath/Sharp.Xmpp/issues/70
• https://github.com/ALE-Rainbow/Sharp.Ws.Xmpp/issues/9
• https://github.com/REPLDigital/Sharp.Xmpp/issues/3
• https://github.com/ParamountVentures/XMPPEngineer/issues/4
• https://github.com/luz-sf/Net.Xmpp/issues/18
• https://github.com/vitalyster/SharpXMPP/issues/30
• https://github.com/vitalyster/SharpXMPP/discussions/119

[filipnavara]

Just a sidenote: SHA-224 and SHA3 are not implemented in .NET so it's unlikely the support for them would be easy to add. The other ones are pretty simple for the basic username/password login situation. We are currently using a different XMPP implementation in our project but we are looking into the possibility to switch to this library. SCRAM-SHA-1 is the only one that we saw in a more widespread use.

[ChristopheI]

Hi, I'm working and maintaining this library since I'm using it in business projects. I have not so much time to develop extra features and more specifically when it's necessary to configure server settings ... But ,iIf you have the opportunity to provide me an account so I can use a server with this kind of authentications it will help a lot ! And with a priority list of authentication mechanism too (I notice SCRAM-SHA-1 as first one) Thx.

PS: Which library are you using ?

[filipnavara]

Which library are you using?

We used a fork of Jabber-Net which was an old library ported over from Java. Since we forked it about 10 years ago it doesn't resemble much of the original code, or the last maintained fork at https://github.com/ForNeVeR/jabber-net. Specifically, for authentication we use our own SASL library that implements variety of the authentication mechanism and we share this library for IMAP, SMTP and other protocols. Structurally it's very similar to the SASL methods in this library. I am pondering whether there would be any point in open sourcing it.

For reference, here's a current source of our authentication classes (free to use under MIT license but not maintained): MailClient.Authentication.zip

If the original issue author doesn't come up with some test servers I can ask Alexey (the author of the RFCs) to see if he / Isode would be able to provide some.

[Neustradamus]

Hello all,

Thanks for your comment :)

XMPP servers, XMPP clients, XMPP librairies are listed with SCRAM possibilities here:

• https://github.com/scram-xmpp/info/issues/1

MailKit (https://github.com/jstedfast/MailKit) supports:

• SCRAM-SHA-1
• SCRAM-SHA-256
• SCRAM-SHA-512

SHA3, linked to:

• https://github.com/dotnet/runtime/issues/20342
• https://github.com/microsoft/dotnet-framework-early-access/issues/44

[ChristopheI]

Thank you for your inputs. I will take a deeper look at the end of the week.

[Neustradamus]

@filipnavara, @ChristopheI: I have added some linked repositories but not all: please look forks/commits:

• https://github.com/smiley22/S22.Xmpp/network

3 supports SCRAM-SHA-1 (but not others):

• https://github.com/smiley22/S22.Xmpp
• https://github.com/pgstath/Sharp.Xmpp
• https://github.com/vitalyster/SharpXMPP

[Neustradamus]

@filipnavara, @ChristopheI: Have you progressed on it?