maria-discuss team mailing list archive

[Lukas Javorsky <ljavorsk@xxxxxxxxxx>]

Hi Sergei,

I'm going to create the feature requests as you mentioned.

> Neither password hashing nor certificate fingerprinting, as far as I can

> see, use MD5.

Yes, I know, that's why I used "OR". I was just double checking. SHA-1 is
used though.

However, we don't just have the checkbox for this.

The computing power is really skyrocketing every year, and we should be
prepared rather than waiting for it.

That's why we are doing extra steps to prevent any security issues that may
be caused by weak algorithms.

And since MariaDB is pretty big and widely used software we need to protect
our customers against these types of attacks.


I will try to provide as many information as I can in the following feature
requests at jira.mariadb.com

Thank you

Lukas


On Fri, Mar 19, 2021 at 2:11 PM Sergei Golubchik <serg@xxxxxxxxxxx> wrote:

> Hi, Lukas!
>
> On Mar 19, Lukas Javorsky wrote:
> >
> > The main functions that are important for us is the password hashing,
> > certificate fingerprinting in mariadb-connector-c which uses SHA-1 or
> > MD5
>
> Neither password hashing nor certificate fingerprinting, as far as I can
> see, use MD5.
>
> Password hashing, indeed, uses SHA-1. It's still secure, as far as I
> know, but I understand that you're likely just need a checkbox "no
> SHA-1 inside". Please, create a feature request at jira.mariadb.org for
> that (use type=task, project=MDEV).
>
> Certificate fingerprinting in mariadb-connector-c also uses SHA-1.
> If think it might make sense to allow other digest algorithms too.
> Please, create a feature request at jira.mariadb.org (project=CONC).
>
> Regards,
> Sergei
> VP of MariaDB Server Engineering
> and security@xxxxxxxxxxx
>
>

-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat <https://www.redhat.com>

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavorsk@xxxxxxxxxx
<https://www.redhat.com>