starred/cypht

Fork 0

mirror of https://github.com/cypht-org/cypht.git synced 2026-04-25 04:56:03 +03:00

[GH-ISSUE #354] SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) supports #305

New issue

Open

opened 2026-02-25 21:34:41 +03:00 by kerem · 26 comments

kerem commented

2026-02-25 21:34:41 +03:00

Owner

Originally created by @Neustradamus on GitHub (Sep 7, 2019).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/354

Originally assigned to: @Danelif on GitHub.

Dear @cypht-org team,

For more security, can you add supports of :

SCRAM-SHA-1
SCRAM-SHA-1-PLUS
SCRAM-SHA-256
SCRAM-SHA-256-PLUS
SCRAM-SHA-512
SCRAM-SHA-512-PLUS
SCRAM-SHA3-512
SCRAM-SHA3-512-PLUS

You can add too:

SCRAM-SHA-224
SCRAM-SHA-224-PLUS
SCRAM-SHA-384
SCRAM-SHA-384-PLUS

A "big" list has been done in last link of this ticket.

SCRAM-SHA-1(-PLUS):

SCRAM-SHA-256(-PLUS):

https://tools.ietf.org/html/rfc7677 since 2015-11-02
https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

SCRAM-SHA-512(-PLUS):

https://tools.ietf.org/html/draft-melnikov-scram-sha-512

SCRAM-SHA3-512(-PLUS):

https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

-PLUS variants:

RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
RFC9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

IMAP:

RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051

LDAP:

RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804

2FA:

Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-melnikov-scram-2fa

IANA:

Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Linked to:

https://github.com/scram-xmpp/info/issues/1

Originally created by @Neustradamus on GitHub (Sep 7, 2019). Original GitHub issue: https://github.com/cypht-org/cypht/issues/354 Originally assigned to: @Danelif on GitHub. Dear @cypht-org team, For more security, can you add supports of : - SCRAM-SHA-1 - SCRAM-SHA-1-PLUS - SCRAM-SHA-256 - SCRAM-SHA-256-PLUS - SCRAM-SHA-512 - SCRAM-SHA-512-PLUS - SCRAM-SHA3-512 - SCRAM-SHA3-512-PLUS You can add too: - SCRAM-SHA-224 - SCRAM-SHA-224-PLUS - SCRAM-SHA-384 - SCRAM-SHA-384-PLUS A "big" list has been done in last link of this ticket. ------------------- SCRAM-SHA-1(-PLUS): - https://tools.ietf.org/html/rfc5802 - https://tools.ietf.org/html/rfc6120 SCRAM-SHA-256(-PLUS): - https://tools.ietf.org/html/rfc7677 since 2015-11-02 - https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA SCRAM-SHA-512(-PLUS): - https://tools.ietf.org/html/draft-melnikov-scram-sha-512 SCRAM-SHA3-512(-PLUS): - https://tools.ietf.org/html/draft-melnikov-scram-sha3-512 -PLUS variants: - RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056 - RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929 - Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml - RFC9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266 IMAP: - RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051 LDAP: - RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803 HTTP: - RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804 2FA: - Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-melnikov-scram-2fa IANA: - Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml Linked to: - https://github.com/scram-xmpp/info/issues/1

kerem added the

Security

research

labels

2026-02-25 21:34:41 +03:00

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@jasonmunro commented on GitHub (Nov 12, 2019):

I will look into this, thanks for the report.

@jasonmunro commented on GitHub (Nov 12, 2019): I will look into this, thanks for the report.

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Neustradamus commented on GitHub (Aug 13, 2023):

Dear @cypht-org team,

Have you progressed since 2019?

Thanks in advance.

@Neustradamus commented on GitHub (Aug 13, 2023): Dear @cypht-org team, Have you progressed since 2019? Thanks in advance.

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@marclaporte commented on GitHub (Aug 13, 2023):

Hi @Neustradamus

Thank you for the follow up. AFAIK, no progress has been made on this specific issue.

But we've just released a major version with tons of new features and fixes. And we've moved the project to an organization to facilitate work by various developers. Ref.: https://unencumberedbyfacts.com/2023/06/14/cypht-rebooted/

@josaphatim What do you think?

@marclaporte commented on GitHub (Aug 13, 2023): Hi @Neustradamus Thank you for the follow up. AFAIK, no progress has been made on this specific issue. But we've just released a major version with tons of new features and fixes. And we've moved the project to an organization to facilitate work by various developers. Ref.: https://unencumberedbyfacts.com/2023/06/14/cypht-rebooted/ @josaphatim What do you think?

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Neustradamus commented on GitHub (Aug 13, 2023):

@marclaporte: Excellent news!

Hope it will be possible to have more security in your other projects too :)

@Neustradamus commented on GitHub (Aug 13, 2023): @marclaporte: Excellent news! Hope it will be possible to have more security in your other projects too :)

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@marclaporte commented on GitHub (Aug 13, 2023):

Hehe, yeah :-)

@marclaporte commented on GitHub (Aug 13, 2023): Hehe, yeah :-)

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@marclaporte commented on GitHub (May 7, 2024):

@Danelif please advise.

@marclaporte commented on GitHub (May 7, 2024): @Danelif please advise.

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Danelif commented on GitHub (May 14, 2024):

I will look into this and give report

@Danelif commented on GitHub (May 14, 2024): I will look into this and give report

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Danelif commented on GitHub (May 16, 2024):

@marclaporte I have read all the documentation provided above and in my opinion for cypht, SCRAM-SHA-256-PLUS is suitable. Unfortunately, there is no much documentation apart from the Internet Engineering Task Force (IETF).
but I found this video interesting https://www.youtube.com/watch?v=20p4zP_pvQU&pp=ugMICgJmchABGAHKBSxwcm90ZWdlciB2b3MgbW90cyBkZSBwYXNzZSBzY3JhbSBwb3N0Z3Jlc3FsIA%3D%3D an scenario with PostgreSQL database.

@Danelif commented on GitHub (May 16, 2024): @marclaporte I have read all the documentation provided above and in my opinion for cypht, SCRAM-SHA-256-PLUS is suitable. Unfortunately, there is no much documentation apart from the Internet Engineering Task Force (IETF). but I found this video interesting https://www.youtube.com/watch?v=20p4zP_pvQU&pp=ugMICgJmchABGAHKBSxwcm90ZWdlciB2b3MgbW90cyBkZSBwYXNzZSBzY3JhbSBwb3N0Z3Jlc3FsIA%3D%3D an scenario with PostgreSQL database.

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Neustradamus commented on GitHub (May 16, 2024):

@Danelif: Yes, PostgreSQL supports SCRAM-SHA-256 and SCRAM-SHA-256-PLUS and a lot of others projects/softs/libs/...
There is a list here: https://github.com/scram-sasl/info/issues/1.

@marclaporte: I have tried to contact you in private by e-mail, by Twitter (public message because DM is not opened for you), can you reply me? Thanks in advance.

@Neustradamus commented on GitHub (May 16, 2024): @Danelif: Yes, PostgreSQL supports SCRAM-SHA-256 and SCRAM-SHA-256-PLUS and a lot of others projects/softs/libs/... There is a list here: https://github.com/scram-sasl/info/issues/1. @marclaporte: I have tried to contact you in private by e-mail, by Twitter (public message because DM is not opened for you), can you reply me? Thanks in advance.

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@marclaporte commented on GitHub (May 16, 2024):

can you reply me

Done

@marclaporte commented on GitHub (May 16, 2024): > can you reply me Done

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@marclaporte commented on GitHub (May 16, 2024):

@Danelif Do you feel comfortable to prepare a pull request?

@marclaporte commented on GitHub (May 16, 2024): @Danelif Do you feel comfortable to prepare a pull request?

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Danelif commented on GitHub (May 17, 2024):

@marclaporte yes I do

@Danelif commented on GitHub (May 17, 2024): @marclaporte yes I do

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@marclaporte commented on GitHub (May 17, 2024):

ok, please proceed

@marclaporte commented on GitHub (May 17, 2024): ok, please proceed

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Neustradamus commented on GitHub (Jun 4, 2024):

@marclaporte, @Danelif: Can you look SCRAM with Auth_SASL/Auth_SASL2?

It will be nice to have before a new release...

@Neustradamus commented on GitHub (Jun 4, 2024): @marclaporte, @Danelif: Can you look SCRAM with Auth_SASL/Auth_SASL2? - https://github.com/pear/Auth_SASL - https://github.com/pear/Auth_SASL2 It will be nice to have before a new release...

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Danelif commented on GitHub (Jun 4, 2024):

@Neustradamus okay let me take a look

@Danelif commented on GitHub (Jun 4, 2024): @Neustradamus okay let me take a look

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Danelif commented on GitHub (Jun 7, 2024):

Adding SCRAM-256-PLUS PR @Neustradamus

@Danelif commented on GitHub (Jun 7, 2024): [Adding SCRAM-256-PLUS PR](https://github.com/cypht-org/cypht/pull/1072) @Neustradamus

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Neustradamus commented on GitHub (Jun 7, 2024):

@Danelif: Nice, good job!

Can you add other SCRAM too?

@Neustradamus commented on GitHub (Jun 7, 2024): @Danelif: Nice, good job! Can you add other SCRAM too?

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Danelif commented on GitHub (Jun 7, 2024):

@Neustradamus alright

@Danelif commented on GitHub (Jun 7, 2024): @Neustradamus alright

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Neustradamus commented on GitHub (Jun 7, 2024):

@Danelif: Note that there are two connection possibilities by SCRAM, example for 256:

SCRAM-SHA-256
SCRAM-SHA-256-PLUS

It will be perfect to have support of: SHA-1/SHA-256/SHA-512/SHA3-512.

Note: If you can add the -PLUS variant support into Auth_SASL/Auth_SASL2, it will be a big enhancement to have a full compatibility and will profit to several projects in the World.

@Neustradamus commented on GitHub (Jun 7, 2024): @Danelif: Note that there are two connection possibilities by SCRAM, example for 256: - SCRAM-SHA-256 - SCRAM-SHA-256-PLUS It will be perfect to have support of: SHA-1/SHA-256/SHA-512/SHA3-512. Note: If you can add the -PLUS variant support into Auth_SASL/Auth_SASL2, it will be a big enhancement to have a full compatibility and will profit to several projects in the World.

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Danelif commented on GitHub (Jun 7, 2024):

i just finished to include all SCRAM SHA in the code base

@Danelif commented on GitHub (Jun 7, 2024): i just finished to include all SCRAM SHA in the code base [PR](https://github.com/cypht-org/cypht/pull/1072)

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Danelif commented on GitHub (Jun 13, 2024):

This PR has been merged so can i remove CRAM-MD5 (https://github.com/cypht-org/cypht/pull/1063) in cypht now ? @marclaporte @Neustradamus

@Danelif commented on GitHub (Jun 13, 2024): [This PR ](https://github.com/cypht-org/cypht/pull/1072 ) has been merged so can i remove CRAM-MD5 (https://github.com/cypht-org/cypht/pull/1063) in cypht now ? @marclaporte @Neustradamus

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@marclaporte commented on GitHub (Jun 13, 2024):

Wait. Is there a use case that the more advanced mechanisms would not be used?

If system always uses more secure mechanisms, it should never fall back to CRAM-MD5

@kroky @Neustradamus

@marclaporte commented on GitHub (Jun 13, 2024): Wait. Is there a use case that the more advanced mechanisms would not be used? If system always uses more secure mechanisms, it should never fall back to CRAM-MD5 @kroky @Neustradamus

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@marclaporte commented on GitHub (Jun 13, 2024):

Say the mail server only supports plain and CRAM-MD5, it's surely better to use CRAM-MD5 instead of plain?

@marclaporte commented on GitHub (Jun 13, 2024): Say the mail server only supports plain and CRAM-MD5, it's surely better to use CRAM-MD5 instead of plain?

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Neustradamus commented on GitHub (Jun 13, 2024):

At the same time of CRAM-MD5 removal, it is possible to remove LOGIN too.

The latest possibility for "old servers" is PLAIN with TLS.

@Neustradamus commented on GitHub (Jun 13, 2024): At the same time of CRAM-MD5 removal, it is possible to remove LOGIN too. The latest possibility for "old servers" is PLAIN with TLS.

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@kroky commented on GitHub (Jun 14, 2024):

I'd deprecate and use as a last resort for now. If big clients/servers haven't removed it yet, there might be a strong reason to. I understand the protocol is outdated and moved to a historic state but completely removing the authentication protocols might actually drop support for certain servers/users/use-cases.

@kroky commented on GitHub (Jun 14, 2024): I'd deprecate and use as a last resort for now. If big clients/servers haven't removed it yet, there might be a strong reason to. I understand the protocol is outdated and moved to a historic state but completely removing the authentication protocols might actually drop support for certain servers/users/use-cases.

kerem commented

2026-02-25 21:34:42 +03:00

Author

Owner

@Neustradamus commented on GitHub (Jul 23, 2025):

Linked to:

@Neustradamus commented on GitHub (Jul 23, 2025): Linked to: - https://github.com/scram-sasl/info/issues/1 - https://github.com/cypht-org/cypht/pull/1072 - https://github.com/cypht-org/cypht/pull/1082 - https://github.com/cypht-org/cypht/pull/1083