Hi Sergei,
I'm going to create the feature requests as you mentioned.
> Neither password hashing nor certificate fingerprinting, as far as I can
> see, use MD5.
Yes, I know, that's why I used "OR". I was just double checking. SHA-1 is used though.
However, we don't just have the checkbox for this.
The computing power is really skyrocketing every year, and we should be prepared rather than waiting for it.
That's why we are doing extra steps to prevent any security issues that may be caused by weak algorithms.
And since MariaDB is pretty big and widely used software we need to protect our customers against these types of attacks.
I will try to provide as many information as I can in the following feature requests at jira.mariadb.com
Thank you
Lukas
Hi, Lukas!
On Mar 19, Lukas Javorsky wrote:
>
> The main functions that are important for us is the password hashing,
> certificate fingerprinting in mariadb-connector-c which uses SHA-1 or
> MD5
Neither password hashing nor certificate fingerprinting, as far as I can
see, use MD5.
Password hashing, indeed, uses SHA-1. It's still secure, as far as I
know, but I understand that you're likely just need a checkbox "no
SHA-1 inside". Please, create a feature request at jira.mariadb.org for
that (use type=task, project=MDEV).
Certificate fingerprinting in mariadb-connector-c also uses SHA-1.
If think it might make sense to allow other digest algorithms too.
Please, create a feature request at jira.mariadb.org (project=CONC).
Regards,
Sergei
VP of MariaDB Server Engineering
and security@mariadb.org
Lukáš Javorský
Associate Software Engineer, Core service - Databases
Purkyňova 115 (TPB-C)
612 00 Brno - Královo Pole