Closed bowlofeggs closed 4 years ago
/close as duplicate https://github.com/processone/ejabberd/issues/2742
Also, are you sure SCRAM-SHA1 really has the same weaknesses as SHA1? eg. https://www.gnu.org/software/gsasl/manual/html_node/SCRAM_002dSHA_002d1.html
Hi @licaon-kter, I honestly don't know the difference between SHA-1 and SCRAM-SHA-1.
@ProcessOne: Can you reopen #2742, it is always closed...
@bowlofeggs: RFC5208 -> https://tools.ietf.org/html/rfc5802
Good news, there are new informations:
Note, after SCRAM-SHA-1(-PLUS):
@bowlofeggs: @prefiks has done a lot of work about SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS).
SCRAM-SHA3-512(-PLUS) will be added, I think, when the RFC will be here, draft link in the previous comment.
@bowlofeggs: New improvements have been added recently!
Greetings!
Is it possible to use SHA-256/512 or SHA-3 for password based authentication, in lieu of SHA-1 or MD5? When reading the docs here, it seems like SHA-256/512 are not supported:
https://docs.ejabberd.im/admin/configuration/#internal
If that is the case, I recommend adding a stronger hash to the list of supported authentication algorithms. SHA-1 is known to be weak, and it is thus not recommended to use it anymore.