On 04-12-2020 15:10, Dimitry Sibiryakov wrote:
04.12.2020 14:38, Mark Rotteveel wrote:
This obviously means that there is something wrong in Jaybird's SRP
implementation, but so far I have no clue as to what.
SRP allows definitely distinguish cases of unknown user and wrong
password. You could start from finding out which part of handshaking has
failed.
It reaches phase 2 of the authentication, so the user exists (with a
user that doesn't exist, it ends after phase 1). The server response is
a op_cont_auth suggesting to try Legacy_Auth next.
This behaviour is a security issue, it leaks existence or non-existence
of the user.
Mark
--
Mark Rotteveel
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
