On 25.06.2018 10:47, Mark Rotteveel wrote:
On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote:
On 23.06.2018 17:06, Mark Rotteveel wrote:
Why is an authentication plugin mismatch (as in the list of plugins
between client and server have no overlap) not clearly communicated
to the client?
For example if I have AuthServer = Srp256,Srp,Legacy_Auth and the
client only tries Srp224, then the error returned to the client is
Error occurred during login, please check server firebird.log for
details [SQLState:08006, ISC error code:335545106]
With entry in the log:
RAMONA Sat Jun 23 16:01:45 2018
Authentication error
No matching plugins on server
Why is the error "Authentication error" + "No matching plugins on
server" not reported back to the client?
Because it's bad idea to open to client (specially not authenticated)
details of problems with authentication.
I agree with that in general, but in this specific case I don't see
the need for that. Communicating about a mismatch in plugins between
server and client is not a risk
Afraid you are wrong here. It helps an attacker to detect what plugin is
actually used by server (for example - srp or srp256) and use that info
to attack particular plugin later.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel