Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-15079

Document the security non-implications of md5 usage in SCRAM-SHA-1

    XMLWordPrintable

Details

    Description

      We often get tickets like SECURITY-769 or CSHARP-3729 (and similar tickets in other driver projects) where a user complains that their security scanner told them we use md5 and therefore our software has a security vulnerability or that they tried to use SCRAM-SHA-1 in a FIPS140-2 environment and failed because FIPS enforcement breaks md5 methods. The following docs pages must be updated to mention the usage of md5 in SCRAM-SHA-1, that md5 is necessary but not used in a cryptographic context and that FIPS users should use SCRAM-SHA-256, Kerberos, LDAP, x509, etc. in place of SCRAM-SHA-1.

      https://docs.mongodb.com/upcoming/core/security-scram/
      https://docs.mongodb.com/manual/tutorial/configure-fips/

      Attachments

        Activity

          People

            jason.price@mongodb.com Jason Price
            bernie@mongodb.com Bernie Hackett
            Githook User Githook User
            Bernie Hackett
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              32 weeks ago