[SERVER-44857] Shorter SCRAM conversation Created: 26/Nov/19  Updated: 29/Oct/23  Resolved: 16/Jan/20

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.3.3

Type: Task Priority: Major - P3
Reporter: Spencer Jackson Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
related to CDRIVER-3506 Support 2-round-trip SCRAM exchange Closed
is related to CDRIVER-3453 Ensure server proof has been validate... Closed
Backwards Compatibility: Fully Compatible
Sprint: Security 2019-12-16, Security 2019-12-30, Security 2019-01-13, Security 2019-01-27
Participants:

 Description   

We should investigate what work needs to be done to perform SCRAM authentication attempts in fewer roundtrips.



 Comments   
Comment by Jeffrey Yemin [ 24/Jan/20 ]

Clients can opt in to the the shorter SCRAM conversation with the following saslStart command:

{
  saslStart: 1,
  mechanism: 'SCRAM-SHA-256',
  options: { skipEmptyExchange: true },
  payload: '...',
}

Note that older server versions will ignore the options, so no wire version check is required. The options can be sent to all server versions. Older server versions will just continue to use the longer SASL conversations, so clients needing to authenticate to pre-4.4 servers have to be able to handle both types of exchanges.

Comment by Githook User [ 16/Jan/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-44857 Allow SCRAM conversation to avoid empty exchange
Branch: master
https://github.com/mongodb/mongo/commit/db5e7863b095355aae7a09b127d11de1bed1af33

Generated at Thu Feb 08 05:07:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.