Closed sagikazarmark closed 3 years ago
dbu
commented
8 years ago agree that chosing the algorithm is a good idea. but why force specifying it? is SHA1 not a good default in most cases? how do we implement this, are there constants for the algorithms? or are they just strings that get passed to the underlying libraries?
xabbuh
commented
8 years ago @dbu Simple strings will work. You can just pass it as the algorithm argument to PHP's hash() function (optionally checking with hash_algos() before whether or not the algorithm ID available).
sagikazarmark
commented
8 years ago Simple strings will work.
That was my idea too.
is SHA1 not a good default in most cases?
It is, but this is always declared by the server side and SHA1 is not recommended, rather SHA512
dbu
commented
8 years ago can client and server negotiate the encryption they use? just wondering how we can make this convenient for the users.
sagikazarmark
commented
8 years ago No, they can't. The point is that they use a nonce and a timestamp together with the password to create the hash which the server can create too, because they use the same hashing and the server knows the password too. At least I never read anything about negotiating the hashing algo in WSSE.
Actual Behavior
The authentication uses SHA1 to hash the token.
Expected Behavior
User should be allowed to change hashing mechanism based on the server.
Possible Solutions
Add a new parameter in the constructor with the default value SHA1. The default value should be deprecated right away and be replaced with a mandatory one: check the number of arguments and trigger a deprecated error if we see the default value is used.