On Wed, Mar 4, 2015 at 4:52 PM, Stephen Frost <sfrost@snowman.net> wrote:
A lot of discussion has been going on with SCRAM and SASL, which is all great, but that means we end up with a dependency on SASL or we have to reimplement SCRAM (which I've been thinking might not be a bad idea- it's actually not that hard), but another suggestion was made which may
I'd really rather not add a dependency on SASL if we can avoid it. I haven't read up on SCRAM, but if it's reasonable enough to reimplement - or if there is a BSD licensed implementation that we can import into our own sourcetree without adding a dependency on SASL, that sounds like a good way to proceed.
be worthwhile to consider- OpenSSL and GnuTLS both support TLS-SRP, the RFC for which is here: http://www.ietf.org/rfc/rfc5054.txt. We already have OpenSSL and therefore this wouldn't create any new dependencies and might be slightly simpler to implement.
OpenSSL is not a *requirement* today, it's an optional dependency. Given it's license we really can't make it a mandatory requirement I think. So if we go down that route, we still leave md5 in there as the one that works everywhere.
Also AFAICT TLS-SRP actually requires the connection to be over TLS - so are you suggesting that TLS becomes mandatory?
It sounds like something that could be interesting to have, but not as a solution to the "md5 problem", imo.