Re: MD5 authentication needs help
| От | Magnus Hagander |
|---|---|
| Тема | Re: MD5 authentication needs help |
| Дата | |
| Msg-id | CABUevExykp-dz5MSED+f3x5XXJq9D8MoqoxM5uZUhKFzROTgmw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: MD5 authentication needs help (Stephen Frost <sfrost@snowman.net>) |
| Ответы |
Re: MD5 authentication needs help
|
| Список | pgsql-hackers |
On Wed, Mar 4, 2015 at 4:52 PM, Stephen Frost <sfrost@snowman.net> wrote:
A lot of discussion has been going on with SCRAM and SASL, which is all
great, but that means we end up with a dependency on SASL or we have to
reimplement SCRAM (which I've been thinking might not be a bad idea-
it's actually not that hard), but another suggestion was made which may
I'd really rather not add a dependency on SASL if we can avoid it. I haven't read up on SCRAM, but if it's reasonable enough to reimplement - or if there is a BSD licensed implementation that we can import into our own sourcetree without adding a dependency on SASL, that sounds like a good way to proceed.
be worthwhile to consider- OpenSSL and GnuTLS both support TLS-SRP, the
RFC for which is here: http://www.ietf.org/rfc/rfc5054.txt. We already
have OpenSSL and therefore this wouldn't create any new dependencies and
might be slightly simpler to implement.
OpenSSL is not a *requirement* today, it's an optional dependency. Given it's license we really can't make it a mandatory requirement I think. So if we go down that route, we still leave md5 in there as the one that works everywhere.
Also AFAICT TLS-SRP actually requires the connection to be over TLS - so are you suggesting that TLS becomes mandatory?
It sounds like something that could be interesting to have, but not as a solution to the "md5 problem", imo.
В списке pgsql-hackers по дате отправления: