Hi Sergei,


I'm going to create the feature requests as you mentioned.


> Neither password hashing nor certificate fingerprinting, as far as I can

> see, use MD5.

Yes, I know, that's why I used "OR". I was just double checking. SHA-1 is used though.


However, we don't just have the checkbox for this.

The computing power is really skyrocketing every year, and we should be prepared rather than waiting for it.

That's why we are doing extra steps to prevent any security issues that may be caused by weak algorithms.

And since MariaDB is pretty big and widely used software we need to protect our customers against these types of attacks.


I will try to provide as many information as I can in the following feature requests at jira.mariadb.com


Thank you

Lukas



On Fri, Mar 19, 2021 at 2:11 PM Sergei Golubchik <serg@mariadb.org> wrote:
Hi, Lukas!

On Mar 19, Lukas Javorsky wrote:
>
> The main functions that are important for us is the password hashing,
> certificate fingerprinting in mariadb-connector-c which uses SHA-1 or
> MD5

Neither password hashing nor certificate fingerprinting, as far as I can
see, use MD5.

Password hashing, indeed, uses SHA-1. It's still secure, as far as I
know, but I understand that you're likely just need a checkbox "no
SHA-1 inside". Please, create a feature request at jira.mariadb.org for
that (use type=task, project=MDEV).

Certificate fingerprinting in mariadb-connector-c also uses SHA-1.
If think it might make sense to allow other digest algorithms too.
Please, create a feature request at jira.mariadb.org (project=CONC).

Regards,
Sergei
VP of MariaDB Server Engineering
and security@mariadb.org



--
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavorsk@redhat.com