On 1/14/22 20:30, Dimitry Sibiryakov wrote:
Alex Peshkoff via Firebird-devel wrote 14.01.2022 18:08:
Better mark set of isc_add/modify/delete_user() functions deprecated.
That's the only place where subj is used.
Taking into account that proper SRP routines for adding a new user
requires client side to send to server the verifier only, I have a
feeling that on contrary: this API should be reviewed and user
management using SQL should be disabled unless connection is encrypted.
Currently the SQL sent via unencrypted connection allows to sniff
the password of the new user and to use it for connections while
having of verifier don't allow that (though still let decrypt and see
the user's traffic).
I doubt we need any security related changes for people that use
unencrypted connection. If one connects unencrypted that means that
person does not care about security.
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel