-
Type:
Task
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Server Security
-
Server Security 2025-09-12, Server Security 2025-09-26, Server Security 2025-10-10, Server Security 2025-10-24, Server Security 2025-11-07, Server Security 2026-02-13
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Today, setting -tlsFIPSMode implicitly disables SCRAM-SHA-1 from the list of default authentication mechanisms that the server accepts. However, the server can still be explicitly configured with SCRAM-SHA-1 and -tlsFIPSMode, in which case it will allow SCRAM-SHA-1 authentication attempts while also running in FIPS mode.
We should consider whether it's worth disallowing this combination entirely.