weak hashing algorithm used #3045

amitagarwal-dev · 2024-09-11T11:30:43Z

amitagarwal-dev
Sep 11, 2024

Mysql2 version: 3.11.0

We saw that a weak hashing algorithm (SHA1) used in the mysql2 code. Can anybody tell the purpose of this code and can we replace this with sha256?
Please provide your comment on this!

CODE

path: mysql2/lib/auth_41.js

function sha1(msg, msg1, msg2) {
  const hash = crypto.createHash('sha1');
  hash.update(msg);
  if (msg1) {
    hash.update(msg1);
  }

  if (msg2) {
    hash.update(msg2);
  }

  return hash.digest();
}

dougwilson · 2024-09-11T14:39:51Z

dougwilson
Sep 11, 2024
Collaborator

Because any server using mysql_native_password for authentication needs this, since that plugin, which was standard for a very long time, uses sha-1

0 replies

sidorares · 2024-09-12T05:26:48Z

sidorares
Sep 12, 2024
Maintainer

If this is a concern the fix should be on the server config side: disallow mysql_native_password auth method and enable caching_sha2_password or similar. Most modern mysql server setups have caching_sha2_password enabled by default

1 reply

EricCarey286 Oct 4, 2024

does mysql2 support caching_sha2_password now?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

weak hashing algorithm used #3045

{{title}}

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

weak hashing algorithm used #3045

amitagarwal-dev Sep 11, 2024

Replies: 2 comments · 1 reply

dougwilson Sep 11, 2024 Collaborator

sidorares Sep 12, 2024 Maintainer

EricCarey286 Oct 4, 2024

amitagarwal-dev
Sep 11, 2024

Replies: 2 comments 1 reply

dougwilson
Sep 11, 2024
Collaborator

sidorares
Sep 12, 2024
Maintainer