nioc / xmpp-web

Lightweight web chat client for XMPP server
GNU Affero General Public License v3.0
143 stars 20 forks source link

SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports #122

Closed Neustradamus closed 6 months ago

Neustradamus commented 6 months ago

Describe the bug

Dear @nioc,

Can you add supports of :

You can add too:

RFC8600: https://tools.ietf.org/html/rfc8600 (2019-06-21): "When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

https://xmpp.org/extensions/inbox/hash-recommendations.html

-PLUS variants:

IMAP:

LDAP:

HTTP:

2FA:

IANA:

Linked to:

Steps to reproduce

*

Expected behavior

*

Relevant log

No response

local.js configuration

No response

XMPP-web version

*

Installation

Docker image

XMPP server(s)

Prosody IM, ejabberd, Tigase XMPP Server, other

Browser(s)

No response

Device(s)

No response

Other information

No response

nioc commented 6 months ago

Hello @Neustradamus, unfortunately, I have no idea how to do this... may be you can search (or ask people) in the xmpp.js library used by wep-xmpp.

Otherwise I won't be able to implement this feature.

Neustradamus commented 6 months ago

@nioc: xmpp.js development has been stopped several years ago and does not support recent SCRAM versions. Hope that you can look to solve it and to permit to use a better SCRAM for security and to look to add -PLUS variants (TLS Channel Binding).

There is strophejs a better support for example.

SCRAM and JavaScript:

nioc commented 6 months ago

This is a huge project, since the entire application is based on this library... if someone wants to handle it, we'll reopen the ticket...

Neustradamus commented 6 months ago

@nioc: With your reaction, I can inform you that an unsolved ticket which is closed, there will have never a solution.

It is important to keep this ticket opens.