On Fri, May 4, 2018 at 10:46 PM dormando <dorma...@rydia.net> wrote:

> The closest would be SCRAM-SHA-256/512 mechanism, but the RFC for that
> states "in combination with TLS" up front, and I'd be wary of using it
> over the internet as well.

If we ignore TLS for a second and just look at SCRAM it is fairly easy to
implement a minimalistic support for those mechanisms within SASL. There is
however one huge problem by using them in memcached without doing major
refactoring in the SASL support in memcached. By design SCRAM use a hashing
function with an iteration count, which should be set high enough to burn
enough CPU on both the client and the server to make brute force attacks
"impossible" (the RFC states that for SCRAM-SHA1 it should be _at least
4096_). Given that the memcached runs the SASL operations in the _front end
threads_, it would block all the clients bound to that thread every time
someone tries to authenticate. If there is clients connecting all the time
one could end up with all worker threads running PBKDF2 hashing and all
other operations timing out ;)

In order to add support for SCRAM you would have to move the hashing over
to a separate thread, and there is not an infrastructure for such thing in
the current memcached implementation so it would be a lot of work ;)

Dormandos suggestion with stunnel (or ipsec) sounds like the least amount
of work, but if you _really_ don't want that (or you for some reason really
want to implement something yourself) you could look into changing
memcached to use libevents bufferevents instead of the "basic" form it use
today, and then add support for using the SSL level on top of bufferevents.
I haven't tested this so I have no idea of the overhead of this and how it
would affect the overall performance. Unless all your clients want to use
SSL you probably want a dedicated port and thread pool serving these
connections. It all depends on the performance requirements you've got...



You received this message because you are subscribed to the Google Groups 
"memcached" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to memcached+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to