← Back to team overview

maria-discuss team mailing list archive

Re: Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

 

Hey Lukas,

 

For clarity can you post the relevant jira issues that are relevant?

 

I have these in my watch list:

*	https://jira.mariadb.org/browse/MDEV-12701
*	https://jira.mariadb.org/browse/MDEV-12160
*	https://jira.mariadb.org/browse/MDEV-16503

 

 

Thanks,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1ltd@xxxxxxxxx <mailto:ngtech1ltd@xxxxxxxxx> 

Zoom: Coming soon

 

 

From: Maria-discuss <maria-discuss-bounces+ngtech1ltd=gmail.com@xxxxxxxxxxxxxxxxxxx> On Behalf Of Lukas Javorsky
Sent: Monday, March 22, 2021 1:28 PM
To: Sergei Golubchik <serg@xxxxxxxxxxx>
Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

 

Hi Sergei,

 

I'm going to create the feature requests as you mentioned.

 

> Neither password hashing nor certificate fingerprinting, as far as I can

> see, use MD5.

Yes, I know, that's why I used "OR". I was just double checking. SHA-1 is used though.

 

However, we don't just have the checkbox for this.

The computing power is really skyrocketing every year, and we should be prepared rather than waiting for it.

That's why we are doing extra steps to prevent any security issues that may be caused by weak algorithms.

And since MariaDB is pretty big and widely used software we need to protect our customers against these types of attacks.

 

I will try to provide as many information as I can in the following feature requests at jira.mariadb.com <http://jira.mariadb.com> 

 

Thank you

Lukas

 

 

On Fri, Mar 19, 2021 at 2:11 PM Sergei Golubchik <serg@xxxxxxxxxxx <mailto:serg@xxxxxxxxxxx> > wrote:

Hi, Lukas!

On Mar 19, Lukas Javorsky wrote:
> 
> The main functions that are important for us is the password hashing,
> certificate fingerprinting in mariadb-connector-c which uses SHA-1 or
> MD5

Neither password hashing nor certificate fingerprinting, as far as I can
see, use MD5.

Password hashing, indeed, uses SHA-1. It's still secure, as far as I
know, but I understand that you're likely just need a checkbox "no
SHA-1 inside". Please, create a feature request at jira.mariadb.org <http://jira.mariadb.org>  for
that (use type=task, project=MDEV).

Certificate fingerprinting in mariadb-connector-c also uses SHA-1.
If think it might make sense to allow other digest algorithms too.
Please, create a feature request at jira.mariadb.org <http://jira.mariadb.org>  (project=CONC).

Regards,
Sergei
VP of MariaDB Server Engineering
and security@xxxxxxxxxxx <mailto:security@xxxxxxxxxxx> 




 

-- 

S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases 

 <https://www.redhat.com> Red Hat 

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

 <mailto:ljavorsk@xxxxxxxxxx> ljavorsk@xxxxxxxxxx 


 <https://www.redhat.com/> 

 


References