Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC6331: Moving DIGEST-MD5 to Historic #55

Closed
Tracked by #12
Neustradamus opened this issue Jan 9, 2022 · 1 comment · Fixed by #62
Closed
Tracked by #12

RFC6331: Moving DIGEST-MD5 to Historic #55

Neustradamus opened this issue Jan 9, 2022 · 1 comment · Fixed by #62
Labels
SASL 🔒 Authentication and authentication mechanisms

Comments

@Neustradamus
Copy link

Neustradamus commented Jan 9, 2022
edited
Loading

Dear @ruby team,

In first, I wish you a Happy New Year!

20 November 2008: CRAM-MD5 to Historic:

29 June 2017: CRAM-MD5 to Historic:

July 2011: RFC6331: Moving DIGEST-MD5 to Historic:

August 2021: RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2:
"Replaced DIGEST-MD5 SASL mechanism with SCRAM-SHA-256. DIGEST-MD5 was deprecated."

I add same about SCRAM-MD5.

There are now:

  • July 2010: RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM): SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802 (SCRAM-SHA-1 and SCRAM-SHA-1-PLUS)
  • July 2010: RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803
  • November 2015: RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS: Simple Authentication and Security Layer (SASL) Mechanisms: https://tools.ietf.org/html/rfc7677

Soon:
@nevans
Copy link
Collaborator

nevans commented Jan 11, 2022
edited
Loading

Thank you so much for simply documenting this so thoroughly and cleanly, @Neustradamus.

100% Agreed. I believe these mechanisms should be available but not loaded by default. In order to use them, users would need to do the following:

# if SASL remains in this repository as-is:
require "net/imap/authenticators/deprecated/cram-md5_authenticator"
require "net/imap/authenticators/deprecated/digest-md5_authenticator"
require "net/imap/authenticators/deprecated/login_authenticator"

Additionally a warning would be printed to $stderr when these mechanisms are loaded and every time they are used.

See also:

  • Should we create a shared net-sasl gem? #23 
    # if SASL is moved into the net-sasl gem
require "net/sasl/deprecated/cram-md5_authenticator"
require "net/sasl/deprecated/digest-md5_authenticator"
require "net/sasl/deprecated/login_authenticator"

This was referenced Jan 11, 2022
Open
Closed
@nevans nevans mentioned this issue Feb 21, 2022
Closed
nevans added a commit that referenced this issue Feb 22, 2022
@nevans
Do not load deprecated SASL mechanisms, by default
fb21bc3 
n.b. the mechanisms haven't been removed.  They just aren't loaded by
default.  Closes GH-55.

By making these optional, there's no reason to require the `digest` or
`strscan` gems anymore. Closes GH-56.
@nevans nevans mentioned this issue Feb 22, 2022
Closed
nevans added a commit to nevans/net-imap that referenced this issue Jul 16, 2022
@nevans @singpolyma
Warn when using deprecated SASL mechanisms
e8be7c3 
Mark obolete SASL mechanisms as deprecated (fixes rubyGH-55):
* Warn every time a deprecated mechanism is used.
* Warnings can be disabled with `warn_deprecation: false`
* delay loading stdgem dependencies until `#initialize`.  Fixes rubyGH-56.
* This is a backwards-compatible alternative to the approach in rubyGH-58
  (don't require and add the deprecated authenticators automatically).
  We can use that incompatible approach in a later version.

Additionally:
* Adds basic tests for every authenticator (to avoid another rubyGH-52!)
* Fixes a frozen string bug in DigestMD5Authenticator.
* By making these optional, there's no reason to require the `digest` or
  `strscan` gems anymore; fixes rubyGH-56.

The DIGEST-MD5 bug was originally reported, tested, and fixed by
@singpolyma here: nevans/net-sasl#3.

Co-authored-by: Stephen Paul Weber <[email protected]>
nevans added a commit that referenced this issue Jul 16, 2022
@nevans @singpolyma
Warn when using deprecated SASL mechanisms
76ad566 
Mark obolete SASL mechanisms as deprecated (fixes GH-55):
* This is a backwards-compatible alternative to the approach in GH-58
  (don't require and add the deprecated authenticators automatically).
  We can use that incompatible approach in a later version.
* Warn every time a deprecated mechanism is used.
* Warnings can be disabled with `warn_deprecation: false`
* delay loading stdgem dependencies until `#initialize`.  Fixes GH-56.

Additionally:
* Adds basic tests for every authenticator (to avoid another GH-52!)
* Fixes a frozen string bug in DigestMD5Authenticator.
* By making these optional, there's no reason to require the `digest` or
  `strscan` gems anymore; fixes GH-56.

The DIGEST-MD5 bug was originally reported, tested, and fixed by
@singpolyma here: nevans/net-sasl#3.

Co-authored-by: Stephen Paul Weber <[email protected]>
nevans added a commit that referenced this issue Jul 16, 2022
@nevans @singpolyma
Warn when using deprecated SASL mechanisms
d466c2e 
Mark obolete SASL mechanisms as deprecated (fixes GH-55):
* This is a backwards-compatible alternative to the approach in GH-58
  (don't require and add the deprecated authenticators automatically).
  We can use that incompatible approach in a later version.
* Warn every time a deprecated mechanism is used.
* Warnings can be disabled with `warn_deprecation: false`
* Fixes GH-56: delay loading standard gem dependencies until
  `#initialize`, and convert the gems to development dependencies.

Additionally:
* Adds basic tests for every authenticator (to avoid another GH-52!)
* Fixes a frozen string bug in DigestMD5Authenticator.
* Fixes constant resolution for exceptions in DigestMD5Authenticator.
* Can register an authenticator type that responds to #call (instead of
  #new).  I was originally going to register deprecated authenticators
  with a Proc that required the file and issued a warning, but I decided
  to put everything into the initializer instead.  `#authenticator`
  needed to be updated to safely delegate all args, and I left this in.

The DIGEST-MD5 bug was originally reported, tested, and fixed by
@singpolyma here: nevans/net-sasl#3.

Co-authored-by: Stephen Paul Weber <[email protected]>
@nevans nevans mentioned this issue Jul 16, 2022
Merged
@hsbt hsbt closed this as completed in #62 Sep 28, 2022
@nevans nevans added the SASL 🔒 Authentication and authentication mechanisms label Feb 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
SASL 🔒 Authentication and authentication mechanisms
Milestone
No milestone
2 participants
@nevans @Neustradamus