[jdev] Seeking jabber implementers for SCRAM-SHA-1 testing

Simon Josefsson simon at josefsson.org
Tue Nov 3 03:48:44 CST 2009

Dave Cridland <dave at cridland.net> writes:

> On Tue Nov  3 06:33:09 2009, Simon Josefsson wrote:
>> The latest release [1] of GNU SASL [2] has support for the new SASL
>> mechanism SCRAM-SHA-1 and I'm trying to find interested jabber/XMPP
>> implementers who are interested in testing how well it works in the
>> protocol.  Feel free to join discussions on help-gsasl at gnu.org, or
>> e-mail me privately if you prefer.
>> If someone else has implemented SCRAM-SHA-1 here, I would be
>> interested
>> in performing some interop testing with my implementation.
> I have both an implementation of it and a suite of protocol
> implementations that use it, including XMPP. (And IMAP, ESMTP, and -  
> naturally - ACAP). I added SCRAM to see how much harder it was than
> DIGEST-MD5 - it turns out to be much, much easier. It's quite
> possibly out of date WRT the spec, I did it during the last batch of
> GSSAPIisms.

We'll find out. :-)

> I believe that Alexey has the majority, at least, of a server-side
> SCRAM-SHA-1 implementation for Cyrus SASL, too.

He told me it was only SCRAM-MD5, at least some time ago.

> So in the short term, I can spin that up against whatever concrete
> server you have that'll use SCRAM-SHA-1, I think. I believe it'll do
> at least some forms of channel binding, too.

I have a public IMAP test server up and running with SCRAM-SHA-1
support.  No channel binding support yet.  Host 'nubb.josefsson.org',
username 'user' and password 'pencil'.   See:


Let me know if it does/doesn't work.


More information about the JDev mailing list