DIGEST-MD5 does not work with qop='auth-conf'

Question

DIGEST-MD5 does not work with qop='auth-conf'

Closed this issue 6 years ago · 3 comments

If qop='auth-conf', the client must accept one of the server's cipher algorithms. Currently, it does not send back a cipher, so the server sends back an error message and closes the connection.

I tried hardcoding cipher='3des', but I ran into errors encoding/decoding messages and did not know how to proceed from there.

I noticed that there is a comment that DIGEST-MD5 is "incomplete and untested". Can you please complete this module?

Answer 1 · 2016-01-19T21:22:51.000Z

Thanks for the report, I'll try to look into this soon.

Answer 2 · 2016-01-20T04:29:55.000Z

One thing I noticed--this library follows the Java SASL library convention of not including a length prefix before wrapped messages.

Section 3.7 of the SASL RFC says it should be length prefixed: https://www.ietf.org/rfc/rfc4422.txt. The cyrus-sasl library does this.

On the other hand, the Java SASL library sends the length prefix out of band (see "Using the Negotiated Security Layer"): https://docs.oracle.com/javase/7/docs/technotes/guides/security/sasl/sasl-refguide.html

Answer 3 · 2018-03-07T06:36:48.000Z

DIGEST-MD5 no longer supports auth-int or auth-conf. I strongly suggest just using TLS for transport security.