On 27.10.2017 20:35, Aki Tuomi wrote:

...

On October 27, 2017 at 6:00 PM Admin Beckspaced admin@beckspaced.com wrote:

Hello dovecot community, ...

If someone could shed some light on this I would be more than grateful ;)

Thanks & greetings Becki We actually discovered that Android has a bug with DIGEST-MD5, which Google refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really good idea with SSL anyways.

Aki

Hello Aki, thanks for your reply ... so if there's a bug which Google won't fix it's perhaps best to not offer digest-md5? what do you mean by it's not a good idea to use DIGEST-MD5/CRAM-MD5 with SSL?

Thanks & Greetings Becki

On 28.10.2017 12:24, Alex JOST wrote:

Am 28.10.2017 um 08:30 schrieb Admin Beckspaced:

...

On 27.10.2017 20:35, Aki Tuomi wrote:

...

...

On October 27, 2017 at 6:00 PM Admin Beckspaced admin@beckspaced.com wrote:

Hello dovecot community, ...

If someone could shed some light on this I would be more than grateful ;)

Thanks & greetings Becki We actually discovered that Android has a bug with DIGEST-MD5, which Google refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really good idea with SSL anyways.

Aki

Hello Aki, thanks for your reply ... so if there's a bug which Google won't fix it's perhaps best to not offer digest-md5? what do you mean by it's not a good idea to use DIGEST-MD5/CRAM-MD5 with SSL?

Those methods encrypt the password itself which was a good thing back in the days when most connections were unencrypted. The disadvantage is that they require the password to be saved in cleartext.

If you can enforce an encrypted connection it is better to use PLAIN/LOGIN and save the passwords as hashes (preferably with salts).

Thanks for your explanation ;)

On October 28, 2017 at 11:37 AM Jerry jerry@seibercom.net wrote:

On Fri, 27 Oct 2017 21:35:16 +0300 (EEST), Aki Tuomi stated:

...

We actually discovered that Android has a bug with DIGEST-MD5, which Google refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really good idea with SSL anyways

Could you actually describe what that bug is? I actually know someone at Google and they might be able to get it investigated and perhaps corrected. The more info you could supply, the better.

Thanks :)

-- Jerry

The issue is https://issuetracker.google.com/issues/36996387, and exactly what happens is bit unknown. From our point of view, Android sends all other values correctly except final hash when using digest-md5.

Aki