On Wed, Mar 4, 2015 at 4:52 PM, Stephen Frost <sfr...@snowman.net> wrote:
> > A lot of discussion has been going on with SCRAM and SASL, which is all > great, but that means we end up with a dependency on SASL or we have to > reimplement SCRAM (which I've been thinking might not be a bad idea- > it's actually not that hard), but another suggestion was made which may > I'd really rather not add a dependency on SASL if we can avoid it. I haven't read up on SCRAM, but if it's reasonable enough to reimplement - or if there is a BSD licensed implementation that we can import into our own sourcetree without adding a dependency on SASL, that sounds like a good way to proceed. > be worthwhile to consider- OpenSSL and GnuTLS both support TLS-SRP, the > RFC for which is here: http://www.ietf.org/rfc/rfc5054.txt. We already > have OpenSSL and therefore this wouldn't create any new dependencies and > might be slightly simpler to implement. > OpenSSL is not a *requirement* today, it's an optional dependency. Given it's license we really can't make it a mandatory requirement I think. So if we go down that route, we still leave md5 in there as the one that works everywhere. Also AFAICT TLS-SRP actually requires the connection to be over TLS - so are you suggesting that TLS becomes mandatory? It sounds like something that could be interesting to have, but not as a solution to the "md5 problem", imo. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
