Welcome, this page informs you about the security, all SCRAM variants and Channel Binding (-PLUS variants) too.

Like I inform all the World since a long time: SCRAM and Channel Binding are here for more security.

2025-08-21: Daniel Gultsch (@iNPUTmice), author of Conversations (an XMPP Client for Android) has done an announcement:

• Conversations: https://gultsch.social/@daniel/115066500856811053

End-to-end encryption (E2EE) is important. However, on self-hosted or otherwise trusted servers, the client-to-server transport layer presents a much larger attack surface. It’s the first hurdle an adversary must overcome before they can attack E2EE. 

That’s why Conversations includes advanced MITM detection called Channel Binding. Turn it on today!

It’s optional for now because not all servers support it. Talk to your admins.

Neither Matrix nor Delta Chat offer comparable protection.

Conversations: SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS) and SCRAM-SHA-512(-PLUS):

• https://conversations.im/
• https://codeberg.org/iNPUTmice/Conversations

Important history:

CRAM-MD5 to Historic:

• https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00 // 20 November 2008
• https://tools.ietf.org/html/draft-zeilenga-luis140219-crammd5-to-historic-00 // June 29, 2017

RFC6331: Moving DIGEST-MD5 to Historic:

• https://tools.ietf.org/html/rfc6331 // July 2011

RFC8600: https://tools.ietf.org/html/rfc8600 (2019-06-21): https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA
When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802].

But in "Best practices for password hashing and storage" expired I-D:

• https://tools.ietf.org/html/draft-ietf-kitten-password-storage

- EXTERNAL
- SCRAM-SHA-256-PLUS
- SCRAM-SHA-1-PLUS
- SCRAM-SHA-256
- SCRAM-SHA-1
- PLAIN

About Channel Binding (for -PLUS variants):

• RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056 // November 2007
• RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929 // July 2010
• Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
• RFC9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266 // July 2022

Some important XEPs:

• XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
• XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
• XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
• XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:

• tls-unique for TLS =< 1.2 (RFC5929)
• tls-server-end-point =< 1.2 + 1.3 (RFC5929)
• tls-exporter for TLS = 1.3 (RFC9266)

After the jabber.ru MITM, Channel Binding is the solution:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

SCRAM-SHA-1(-PLUS):

• RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802 // July 2010
• RFC6120: Extensible Messaging and Presence Protocol (XMPP): Core: https://tools.ietf.org/html/rfc6120 // March 2011

SCRAM-SHA-256(-PLUS):

• RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms: https://tools.ietf.org/html/rfc7677 // 2015-11-02
• RFC8600: Using Extensible Messaging and Presence Protocol (XMPP) for Security Information Exchange: https://tools.ietf.org/html/rfc8600 // 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

SCRAM-SHA-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha-512

SCRAM-SHA3-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:

• https://tools.ietf.org/html/draft-melnikov-scram-bis

IMAP:

• RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051 // August 2021

LDAP:

• RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803 // July 2010

HTTP:

• RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804 // March 2016

JMAP:

• RFC8621: The JSON Meta Application Protocol (JMAP) for Mail: https://tools.ietf.org/html/rfc8621 // August 2019

2FA:

• Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-ietf-kitten-scram-2fa

IANA:

• Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

SASL2:

• Extensible Simple Authentication and Security Layer (SASL): https://tools.ietf.org/html/draft-melnikov-sasl2

Article: Convert old unsecured MD5 passwords to SCRAM-SHA-256 with PostgreSQL: https://info.crunchydata.com/blog/how-to-upgrade-postgresql-passwords-to-scram

Article: From MD5 to scram-sha-256 in PostgreSQL: https://www.cybertec-postgresql.com/en/from-md5-to-scram-sha-256-in-postgresql/

Article: SCRAM over SASL for SkySpark v3: https://www.alienfactory.co.uk/articles/skyspark-scram-over-sasl

Since PostgreSQL 10, MD5 -> SCRAM-SHA-256:
SCRAM-SHA-256 has been added in PostgreSQL 10
SCRAM-SHA-256-PLUS variant (with TLS Binding) has been added in PostgreSQL 13
SCRAM-SHA-256 is selected by default in PostgreSQL 14

• 10: https://www.postgresql.org/docs/10/auth-methods.html | https://www.postgresql.org/about/news/postgresql-10-released-1786/
• 11: https://www.postgresql.org/docs/11/auth-password.html
• 12: https://www.postgresql.org/docs/12/auth-password.html
• 13: https://www.postgresql.org/docs/13/auth-password.html | https://www.postgresql.org/about/news/postgresql-13-released-2077/
• 14: https://www.postgresql.org/docs/14/auth-password.html | https://www.postgresql.org/about/news/postgresql-14-released-2318/ | https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/how-to-securely-authenticate-with-scram-in-postgres-13/ba-p/1548319

SCRAM-SHA-1(-PLUS) and SCRAM-SHA-256(-PLUS):

• OnGres SCRAM 3.0 - Salted Challenge Response Authentication Mechanism (SCRAM) - Java Implementation: https://github.com/ongres/scram
• Tigase XMPP Server 8.0.0 (XMPP server): https://docs.tigase.net/tigase-server/8.0.0/Administration_Guide/html/
• Gajim 1.2.x (XMPP client): https://gajim.org/
• nbxmpp 2.x, Python library (XMPP library): https://dev.gajim.org/gajim/python-nbxmpp/
• Prosody IM 0.12 (XMPP server): https://hg.prosody.im/0.12/rev/60b445183d84 + https://hg.prosody.im/0.12/rev/e458578ddfd3 | https://hg.prosody.im/0.12/rev/c0d221b0c94c + https://hg.prosody.im/0.12/rev/1bfd238e05ad | https://prosody.im/doc/release/0.12.0 | https://prosody.im/
• Prosody IM Trunk (XMPP server): https://hg.prosody.im/trunk/rev/60b445183d84 + https://hg.prosody.im/trunk/rev/e458578ddfd3 | https://hg.prosody.im/trunk/rev/c0d221b0c94c + https://hg.prosody.im/trunk/rev/1bfd238e05ad | https://hg.prosody.im/trunk/rev/29685403be32 + https://hg.prosody.im/trunk/rev/78f874441e21 | https://prosody.im/
• GNU SASL 1.10.0 (Libgsasl): http://www.gnu.org/software/gsasl/
• aiosasl: https://github.com/horazont/aiosasl
• Mellium SASL: https://github.com/mellium/sasl
• Mellium XMPP (XMPP library): https://github.com/mellium/xmpp
• xmpp-rs (XMPP library): https://gitlab.com/xmpp-rs/xmpp-rs
• Multipurpose XMPP-Webhook (Built for DevOps Alerts): https://github.com/tmsmr/xmpp-webhook
• Stanza (XMPP library): https://github.com/legastero/stanza (https://github.com/legastero/stanza/issues/295 "SCRAM-SHA-256 is supported now. -PLUS is too, technically, but BOSH/WebSocket don't provide channel binding info. It'll be there once TCP/TLS support is added.")
• Exim (Mail server): https://bugs.exim.org/show_bug.cgi?id=2349 // Exim uses GNU SASL
• indimail-mta (qmail fork with IPV6, TLS, DANE, DKIM, SRS2, daemontools, qmailanalog, mess822, & ucspi-tcp): https://github.com/indimail/indimail-mta (with gsasl)
• Dovecot 2.4.0 (Mail server): https://doc.dovecot.org/2.4.0/core/rfc.html#authentication + https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/UYNR6GBP25XEGFCS633SWPR4HXV3NSS3/
• Rock-solid and complete codec for IMAP: https://github.com/duesee/imap-codec
• mpop (POP3 client): https://marlam.de/mpop/
• msmtp (SMTP client): https://marlam.de/msmtp/
• go-mail: https://github.com/wneessen/go-mail

SCRAM-SHA-1 and SCRAM-SHA-256:

• NaviServer: A scalable, multithreaded web server / multi-protocol server written in C and Tcl. It can be easily extended in either language to create interesting web sites and services: https://github.com/naviserver-project/naviserver + https://sourceforge.net/projects/naviserver/
• Thunderbird 71 (XMPP client): https://thunderbird.net/ // -PLUS: https://bugzilla.mozilla.org/show_bug.cgi?id=563276
• Mox: modern full-featured open source secure mail server for low-maintenance self-hosted email: https://github.com/mjl-/mox
• Tigase Beagle IM (XMPP client): https://beagle.im/
• Tigase Siskin IM (XMPP client): https://siskin.im/
• TigaseSwift - XMPP library for Swift (XMPP library): https://github.com/tigase/tigase-swift
• UWPX (XMPP client): https://github.com/UWPX/UWPX-Client
• Dovecot 2.3.10 (Mail server): https://doc.dovecot.org/2.3/configuration_manual/authentication/password_schemes/ + https://dovecot.org/pipermail/dovecot-news/2020-March/000432.html
• Postfix with Dovecot SASL: https://postfix.org/
• PostfixAdmin with Postfix and Dovecot SASL: https://github.com/postfixadmin
• MySQL 8.0.23: https://dev.mysql.com/doc/refman/8.0/en/pluggable-authentication-system-variables.html#sysvar_authentication_ldap_sasl_auth_method_name
• The MongoDB Database: https://github.com/mongodb/mongo
• MongoDB 4.0: https://docs.mongodb.com/manual/core/security-scram/ + https://www.mongodb.com/blog/post/exciting-new-security-features-in-mongodb-40 + https://www.mongodb.com/docs/manual/core/security-scram/ + https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#scram-sha-1 + https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#scram-sha-256
• PyMongo 3.7: https://api.mongodb.com/python/3.7.0/examples/authentication.html + https://api.mongodb.com/python/3.7.0/api/pymongo/database.html
• MongoDB for the XP Framework: https://github.com/xp-forge/mongodb
• The Java driver for MongoDB: https://github.com/mongodb/mongo-java-driver
• The MongoDB C Driver (libmongoc): http://mongoc.org/
• Percona Server for MongoDB: https://github.com/percona/percona-server-mongodb
• RED HAT AMQ: https://access.redhat.com/documentation/en-us/red_hat_amq/7.2/html-single/using_the_amq_jms_client/index
• Stanza (XMPP library): https://github.com/legastero/stanza
• Rust SASL: https://gitlab.com/lumi/sasl-rs + https://docs.rs/sasl/
• Vert.x based SCRAM service: https://github.com/edipermadi/scram-service
• OnGres SCRAM - Salted Challenge Response Authentication Mechanism (SCRAM) - Java Implementation: https://github.com/ongres/scram
• TiDB: an open-source, cloud-native, distributed, MySQL-Compatible database for elastic scale and real-time analytics: https://github.com/pingcap/tidb
• Apache Qpid: https://qpid.apache.org/
• Apache Qpid Broker-J: https://github.com/apache/qpid-broker-j
• Apache Qpid JMS AMQP 0-x: https://github.com/apache/qpid-jms-amqp-0-x + https://github.com/apache/qpid-jms-amqp-0-x/tree/main/client/src/main/java/org/apache/qpid/client/security/scram
• Apache Gora: https://github.com/apache/gora
• Lightweight XMPP client library written in Dart: https://github.com/vukoye/xmpp_dart
• Lightweight XMPP client library written in Dart: https://github.com/slashdigital/xmpp_dart

SCRAM-SHA-256(-PLUS):

• PostgreSQL 13: https://www.postgresql.org/docs/13/sasl-authentication.html + https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/how-to-securely-authenticate-with-scram-in-postgres-13/ba-p/1548319
• Native PostgreSQL driver for the Rust programming language: https://github.com/sfackler/rust-postgres
• Npgsql is the .NET data provider for PostgreSQL: https://www.npgsql.org/ + https://github.com/npgsql/npgsql
• A postgres driver for crystal: https://github.com/will/crystal-pg

SCRAM-SHA-256:

• IRCv3: https://ircv3.net/docs/sasl-mechs
• AdiIRC: https://www.adiirc.com/
• Swirc: https://www.nifty-networks.net/swirc/
• Ergo: https://github.com/ergochat/ergo
• IRCCloud: https://www.irccloud.com/
• CoreIRC: https://play.google.com/store/apps/details?id=co.aureolin.coreirc
• Limnoria: https://github.com/ProgVal/Limnoria
• Rust SCRAM: https://github.com/tomprogrammer/scram
• SASL-SCRAM-SHA256: https://github.com/PhysoTronic/SASL-SCRAM-SHA256
• Postgres driver written in pure Zig: https://github.com/star-tek-mb/pgz
• PostgreSQL 10: https://www.postgresql.org/docs/10/sasl-authentication.html
• Erlang PostgreSQL client library: https://github.com/epgsql/epgsql
• Postgresql JDBC Driver: https://github.com/pgjdbc/pgjdbc + https://jdbc.postgresql.org/
• PostgreSQL driver and toolkit for Go: https://github.com/jackc/pgx
• PostgreSQL driver for Elixir: https://github.com/elixir-ecto/postgrex
• A PostgreSQL metric exporter for Prometheus: https://github.com/prometheus-community/postgres_exporter
• Puppet module for managing PostgreSQL: https://github.com/puppetlabs/puppetlabs-postgresql
• Pgpool-II 4.0.0: https://www.pgpool.net/ + https://www.pgpool.net/docs/40/en/html/auth-methods.html + https://b-peng.blogspot.com/2020/09/how-to-configure-scram-and-md5.html
• pgpoolAdmin 4.0.0: https://www.pgpool.net/
• YugabyteDB 2.5: https://github.com/yugabyte/yugabyte-db + https://blog.yugabyte.com/whats-new-in-yugabytedb-2-5-enterprise-grade-security-features/ + https://docs.yugabyte.com/latest/secure/authentication/password-authentication/ + https://dev.to/yugabyte/enabling-pgaudit-pgcrypto-and-scram-sha-256-in-distributed-sql-3kjl
• Cassandra security authentication plug-in based on SCRAM-SHA256 algorithm: https://github.com/johnyannj/cassandra-secure-plugin
• This is a simple program to generate password hashes using SCRAM-SHA-256 for Postgres (supported after version 10): https://github.com/DenisMedeirosBBD/PostgresSCRAM256PasswordGenerator
• A password generator for PostgreSQL to encrypt it with SCRAM-SHA-256 method: https://github.com/supercaracal/scram-sha-256
• connectanum-dart: https://github.com/konsultaner/connectanum-dart
• The Web Application Messaging Protocol: https://wamp-proto.org/ + https://github.com/wamp-proto/wamp-proto
• High performance reactive SQL Client written in Java: https://github.com/eclipse-vertx/vertx-sql-client + https://vertx.io/docs/vertx-pg-client/java/
• Okapi: https://github.com/folio-org/okapi
• Lightweight FOLIO module development library for Vert.x that supports OpenAPI: https://github.com/folio-org/folio-vertx-lib
• Vault: A tool for secrets management, encryption as a service, and privileged access management: https://github.com/hashicorp/vault
• EdgeDB: A next-generation graph-relational database: https://edgedb.com/ + https://github.com/edgedb
• edgedb-js: The official TypeScript/JS client library and query builder for EdgeDB: https://github.com/edgedb/edgedb-js
• edgedb-ui: The home of EdgeDB UI and all related shared UI components: https://github.com/edgedb/edgedb-ui
• edgedb-python: The official Python client library for EdgeDB: https://github.com/edgedb/edgedb-python
• edgedb-cli: The EdgeDB CLI: https://github.com/edgedb/edgedb-cli
• imapclient: An easy-to-use, Pythonic and complete IMAP client library: https://github.com/mjs/imapclient
• SCRAM-SHA-256 module for node.js: https://www.npmjs.com/package/scram_sha_256 + https://github.com/anunique/js-scram-sha-256
• pg-password-util: https://www.npmjs.com/package/pg-password-util + https://github.com/sehrope/node-pg-password-util
• softvisio/core: https://www.npmjs.com/package/@softvisio/core + https://softvisio-node.github.io/core/ + https://github.com/softvisio-node/core

SCRAM-SHA-256 and SCRAM-SHA-512:

• Apache ActiveMQ Artemis: https://github.com/apache/activemq-artemis + https://activemq.apache.org/components/artemis/documentation/latest/security.html + https://github.com/apache/activemq-artemis/tree/main/examples/protocols/amqp/sasl-scram + https://issues.apache.org/jira/browse/ARTEMIS-3106
• Apache Kafka: https://github.com/apache/kafka + https://docs.confluent.io/current/kafka/authentication_sasl/authentication_sasl_scram.html + https://cwiki.apache.org/confluence/display/KAFKA/KIP-84%3A+Support+SASL+SCRAM+mechanisms + https://issues.apache.org/jira/browse/KAFKA-3751
• CockroachDB: The open source, cloud-native distributed SQL database: https://github.com/cockroachdb/cockroach
• CockroachDB with pre-generated Go code: https://github.com/cockroachdb/cockroach-gen
• Sarama is a Go library for Apache Kafka: https://github.com/Shopify/sarama
• Sarama, a Go library for Apache Kafka: https://github.com/IBM/sarama
• A modern Apache Kafka client for node.js: https://github.com/tulios/kafkajs + https://kafka.js.org/
• aiokafka: https://github.com/aio-libs/aiokafka
• Python client for Apache Kafka: https://github.com/dpkp/kafka-python
• Alternate Kafka Broker implementation: https://github.com/knative-sandbox/eventing-kafka-broker
• Kafka integrations with Knative Eventing: https://github.com/knative-sandbox/eventing-kafka
• The plugin-driven server agent for collecting & reporting metrics: https://github.com/influxdata/telegraf
• Sarama is a Go library for Apache Kafka: https://github.com/Shopify/sarama
• Strimzi canary: https://github.com/strimzi/strimzi-canary
• KEDA: a Kubernetes-based Event Driven Autoscaling component: https://github.com/kedacore/keda
• Apache Kafka running on Kubernetes: https://github.com/strimzi/strimzi-kafka-operator
• The Apache Kafka C/C++ library: https://github.com/edenhill/librdkafka
• CNCF Jaeger: a Distributed Tracing Platform: https://github.com/jaegertracing/jaeger + https://www.jaegertracing.io/
• OpenTelemetry Collector: https://github.com/open-telemetry/opentelemetry-collector
• Haystack: https://project-haystack.org/doc/Auth
• ForgeRock Directory Services (OpenDJ/OpenDS): https://backstage.forgerock.com/knowledge/kb/article/a44757687 + https://backstage.forgerock.com/docs/ds/7/release-notes/whats-new.html + https://backstage.forgerock.com/docs/ds/7/configref/subcommands-create-password-storage-scheme.html + https://backstage.forgerock.com/docs/ds/7/ldap-reference/standards.html + https://backstage.forgerock.com/search/?q=scram + https://bugster.forgerock.org/jira/browse/OPENDJ-6435 + ...

SCRAM-SHA-224, SCRAM-SHA-256, SCRAM-SHA-384, SCRAM-SHA-512:

• mIRC: https://www.mirc.com/

SCRAM-SHA-1, SCRAM-SHA-224, SCRAM-SHA-256, SCRAM-SHA-384, SCRAM-SHA-512 and SCRAM-SHA3-512:

• The PHP SASL2 Authentification Library: https://github.com/fabiang/sasl

SCRAM-SHA-1(-PLUS), SCRAM-SHA-224(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-384(-PLUS), SCRAM-SHA-512(-PLUS) and SCRAM-SHA3-512(-PLUS):

• Salted Challenge Response Authentication Mechanism [SCRAM-SHA-1(-PLUS) SCRAM-SHA-224 SCRAM-SHA-256(-PLUS) SCRAM-SHA-384 SCRAM-SHA-512(-PLUS) SCRAM-SHA3-512(-PLUS)] (scram.nim): https://github.com/ba0f3/scram.nim

SCRAM-SHA-1, SCRAM-SHA-256, SCRAM-SHA-512 and SCRAM-SHA3-512:

• QXmpp (XMPP library): https://github.com/qxmpp-project/qxmpp // No -PLUS variants because Qt Channel binding support is missing: https://bugreports.qt.io/browse/QTBUG-77783
• KDE Kaidan (XMPP client): https://www.kaidan.im/ // No -PLUS variants because Qt Channel binding support is missing: https://bugreports.qt.io/browse/QTBUG-77783
• ShmoNG (Shmoose Next Generattion): A XMPP Client for Sailfish OS: https://github.com/geobra/shmong
• SnappyMail (PHP Webmail) : https://github.com/the-djmaze/snappymail + https://snappymail.eu/

SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-512(-PLUS) and SCRAM-SHA3-512(-PLUS):

• Python implementation of the SCRAM protocol (scramp): https://github.com/tlocke/scramp
• Jackal (XMPP server): https://github.com/ortuman/jackal

SCRAM-SHA-1, SCRAM-SHA-256 and SCRAM-SHA-512:

• SquirelMail (PHP Webmail): https://github.com/RealityRipple/squirrelmail
• A simple, lightweight C library for writing XMPP clients (libstrophe) 0.10.0 (XMPP library): https://github.com/strophe/libstrophe
• Go implementation of RFC-5802 Salted Challenge Response Authentication Mechanism (SCRAM): https://github.com/xdg-go/scram
• Memcached: https://github.com/couchbase/memcached
• Atheme: https://github.com/atheme/atheme
• BitBot: https://github.com/jesopo/bitbot
• HexChat - GTK+ IRC client: https://github.com/hexchat/hexchat | Added support for SCRAM-SHA-1, SCRAM-SHA-256 and SCRAM-SHA-512 hexchat/hexchat#2809 + SCRAM: Small bugfixes hexchat/hexchat#2813
• UnboundID LDAP SDK for Java: https://github.com/pingidentity/ldapsdk
• ldaptive: https://github.com/vt-middleware/ldaptive
• Couchbase: https://blog.couchbase.com/improved-security-couchbase-4-5-scram-sha/ + https://docs.couchbase.com/server/current/learn/security/authentication-overview.html
• Couchbase Key-Value Engine: https://github.com/couchbase/kv_engine
  The JVM core for Couchbase SDKs: https://github.com/couchbase/couchbase-jvm-core
• Skyspark: http://www.alienfactory.co.uk/articles/skyspark-scram-over-sasl
• java-sasl-scram-sha1: https://github.com/trondn/java-sasl-scram-sha1
• passlib.hash.scram: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.scram.html
• XMPP/Jabber Library for Crystal (cr-xmpp) (XMPP library): https://github.com/naqvis/cr-xmpp
• Java implementation of the SCRAM SASL for both server and client (scram-sasl): https://github.com/ogrebgr/scram-sasl
• Sharp.Xmpp.Client: https://github.com/liangdefeng/Sharp.Xmpp.Client
• DataEnter CryptoFilter - The S/MIME Gateway: https://www.dataenter.com/doc/cryptofilter.htm
• DataEnter POPBeamer - The Mail Collector: https://www.dataenter.com/doc/popbeam.htm
• DataEnter SMTPBeamer - The Mail Server: https://www.dataenter.com/doc/smtpbeam.htm
• DataEnter XWall - The Mail Filter: https://www.dataenter.com/doc/xwall.htm
• moxxmpp: A pure-Dart XMPP library: https://github.com/PapaTutuWawa/moxxmpp
• Moxxy: An experiment in building a better XMPP client. This time using Flutter: https://github.com/Polynomdivision/moxxyv2
• Authen::SASL::SCRAM: https://metacpan.org/pod/Authen::SASL::SCRAM + https://github.com/ehuelsmann/authen-sasl-scram
• Apache Qpid JMS: https://github.com/apache/qpid-jms + https://github.com/apache/qpid-jms/tree/main/qpid-jms-client/src/main/resources/META-INF/services/org/apache/qpid/jms/sasl
• Apache Qpid ProtonJ2: https://github.com/apache/qpid-protonj2 + https://github.com/apache/qpid-protonj2/tree/main/protonj2/src/main/java/org/apache/qpid/protonj2/engine/sasl/client
• Apache Qpid Proton DotNet: https://github.com/apache/qpid-proton-dotnet + https://github.com/apache/qpid-proton-dotnet/tree/main/src/Proton/Engine/Sasl/Client
• irssi: https://github.com/irssi/irssi/
• Haskell IRC library and console client: https://github.com/glguy/irc-core

SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS) and SCRAM-SHA-512(-PLUS):

• Monal (XMPP client): https://github.com/monal-im/Monal
• Gajim 1.4.x (XMPP client): https://gajim.org/ + https://dev.gajim.org/gajim/gajim
• nbxmpp 3.x, Python library (XMPP library): https://dev.gajim.org/gajim/python-nbxmpp/
• Go XMPP library (From Yasuhiro Matsumoto and based on the code from Russ Cox) (XMPP library): https://github.com/xmppo/go-xmpp
• go-sendxmpp 0.7.0: https://pkg.go.dev/salsa.debian.org/mdosch/go-sendxmpp + https://pkg.go.dev/salsa.debian.org/mdosch/go-sendxmpp
• Conversations (XMPP client): https://conversations.im/ + https://codeberg.org/iNPUTmice/Conversations
• Cheogram (XMPP client): https://cheogram.com/
• Monocles Chat (XMPP client): https://codeberg.org/Arne/monocles_chat
• DJabberd (XMPP server): https://github.com/djabberd/DJabberd
• ProcessOne ejabberd (XMPP server): https://www.ejabberd.im/
• ProcessOne Erlang/Elixir XMPP (XMPP library): https://github.com/processone/xmpp
• CoyIM (XMPP client): https://github.com/coyim/coyim | Important: Do not use it, there is a problem with this XMPP Client
• Tigase XMPP Server 8.1.0 (XMPP server): https://docs.tigase.net/tigase-server/8.1.0/Administration_Guide/html/
• Tigase XMPP Server 8.2.x-dev (XMPP server): https://docs.tigase.net/tigase-server/master-snapshot/Administration_Guide/html/
• Tigase JaXMPP (XMPP library): https://github.com/tigase/jaxmpp
• Tigase TTS-NG: https://github.com/tigase/tigase-tts-ng
• Tigase Stork IM / Tigase Android Messenger (XMPP client): https://github.com/tigase/stork
• Isode M-Link (XMPP server): https://www.isode.com/products/m-link.html
• Isode M-Vault: https://www.isode.com/products/m-vault.html
• Isode M-Switch: https://www.isode.com/products/m-switch-x400.html
• Isode M-Box: https://www.isode.com/products/m-box.html
• libscram: https://github.com/pwithnall/libscram
• MimeKit: https://github.com/jstedfast/MimeKit + http://www.mimekit.net/docs/html/Introduction.htm
• MailKit: https://github.com/jstedfast/MailKit + http://www.mimekit.net/docs/html/Introduction.htm
• An XMPP library implemented in the Racket language: https://gitlab.com/navlost.eu/xmpp/libraries/racket/xmpp + https://docs.racket-lang.org/xmpp/
• Racket SASL: https://github.com/racket/sasl + https://docs.racket-lang.org/sasl/

SCRAM-SHA-1, SCRAM-SHA-256, SCRAM-SHA-384 and SCRAM-SHA-512:

• Strophe.js 1.6.x (XMPP library): https://github.com/strophe/strophejs
• EchoX: Lightweight XMPP client, purely written in Dart: https://github.com/vsevex/echox
• Infinispan 13.0 Server: https://infinispan.org/docs/stable/titles/server/server.html + https://github.com/infinispan

SCRAM-SHA-1, SCRAM-SHA-224, SCRAM-SHA-256, SCRAM-SHA-384 and SCRAM-SHA-512:

• Psi/Psi+ (XMPP client) with QCA: https://psi-im.org/ + https://psi-plus.com/ // No -PLUS variants because Qt Channel binding support is missing: https://bugreports.qt.io/browse/QTBUG-77783
• Vacuum IM (XMPP client): https://github.com/Vacuum-IM/vacuum-im // No -PLUS variants because Qt Channel binding support is missing: https://bugreports.qt.io/browse/QTBUG-77783
• eyeCU (XMPP client): https://github.com/eyecu-im/eyecu-qt // No -PLUS variants because Qt Channel binding support is missing: https://bugreports.qt.io/browse/QTBUG-77783
• PEAR PHP Auth_SASL: https://pear.php.net/package/Auth_SASL
• PEAR PHP Auth_SASL2: https://pear.php.net/package/Auth_SASL2
• Authen-SCRAM: https://metacpan.org/release/Authen-SCRAM + https://github.com/dagolden/Authen-SCRAM
• Fastest SCRAM's implementation for Erlang & OTP (fast_scram): https://github.com/esl/fast_scram

SCRAM-SHA-1(-PLUS), SCRAM-SHA-224(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-384(-PLUS) and SCRAM-SHA-512(-PLUS):

• Erlang Solutions Escalus: https://github.com/esl/escalus
• Erlang Solutions MongooseIM 3.7.0 (XMPP server): https://github.com/esl/MongooseIM
• Miranda NG (XMPP client): https://github.com/miranda-ng/miranda-ng
• Cyrus SASL 2.1.28 + Cyrus IMAP (Mail server): Add SCRAM-SHA-1-PLUS, SCRAM-SHA-224-PLUS, SCRAM-SHA-256-PLUS, SCRAM-SHA-384-PLUS, SCRAM-SHA-512-PLUS, SCRAM-SHA3-512(-PLUS) supports cyrusimap/cyrus-sasl#552 + https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html
• Postfix with Cyrus SASL: https://postfix.org/
• PostfixAdmin with Postfix and Cyrus SASL: https://github.com/postfixadmin
• Mutt (Mail client) with Cyrus SASL: http://mutt.org/
• NeoMutt (Mail client): https://neomutt.org/

SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-384(-PLUS) and SCRAM-SHA-512(-PLUS):

• Metronome IM (XMPP server): https://metronome.im/ + https://github.com/maranda/metronome
• Wocky XMPP library 2.66 (XMPP library): https://github.com/TelepathyIM/wocky
• WildFly Elytron: https://github.com/wildfly-security/wildfly-elytron (https://github.com/wildfly-security/wildfly-elytron/blob/master/mechanism/scram/src/main/java/org/wildfly/security/mechanism/scram/ScramMechanism.java)

SCRAM-SHA-1, SCRAM-SHA-256(-PLUS) and SCRAM-SHA-512(-PLUS):

• scram-rs: SASL SCRAM SHA-1 SHA-256 SHA-512: https://gitlab.com/relkom/scram-rs
• SmtpFix-rs: A small and simple synchronous Rust library/crate for mail submission to the server as a client: https://gitlab.com/relkom/smtpfix-rs

SCRAM-SHA-1(-PLUS):

• GNU SASL fork - gsasl clone to fix SCRAM-SHA1 server side: https://github.com/20centaurifux/gsasl
• Prosody IM < 0.12 (XMPP server): https://prosody.im/doc/plain_or_hashed#authenticating // SCRAM-SHA-256(-PLUS) in 0.12.
• Swift IM (XMPP client): https://swift.im/swift.html
• Stroke (XMPP library): https://swift.im/swiften.html
• XMPP Client for Sailfish OS: https://github.com/geobra/harbour-shmoose
• Ignite Realtime Smack (XMPP library): https://igniterealtime.org/projects/smack/
• pyxmpp2 (XMPP library): https://github.com/Jajcus/pyxmpp2 + https://pypi.org/project/pyxmpp2/
• XMPP library for .NET Core (XMPP library): https://github.com/ubiety/Ubiety.Xmpp.Core
• Salted Challenge and Response Authentication Mechanism library for .NET Core: https://github.com/ubiety/Ubiety.Scram.Core

SCRAM-SHA-1 and SCRAM-SHA-1-PLUS:

• Slixmpp: https://slixmpp.readthedocs.io/
• Poezio: https://poez.io/

SCRAM-SHA-1:

• Pidgin (XMPP client), Finch, and libpurple: https://pidgin.im/
• Chatty (XMPP client): https://source.puri.sm/Librem5/chatty
• Claws Mail (Mail client): IMAP only: https://www.claws-mail.org/ + https://www.thewildbeast.co.uk/claws-mail/bugzilla/buglist.cgi?quicksearch=scram
• Dovecot: https://doc.dovecot.org/2.3/configuration_manual/authentication/password_schemes/ (Dovecot 2.3.10 has SCRAM-SHA-1 and SCRAM-SHA-256 // 2.4.0 has -PLUS variants)
• Postfix with Dovecot SASL: https://postfix.org/
• PostfixAdmin with Postfix and Dovecot SASL: https://github.com/postfixadmin
• SleekXMPP: Python 2.6+/3.1+ XMPP Library: https://github.com/fritzy/SleekXMPP
• MySQL 5.7.19: https://dev.mysql.com/doc/refman/5.7/en/pluggable-authentication-system-variables.html#sysvar_authentication_ldap_sasl_auth_method_name
• PyMongo 2.8: https://api.mongodb.com/
• MongoDB 3.0: https://docs.mongodb.com/manual/release-notes/3.0-scram + http://www.mongoing.com/docs/core/security-scram-sha-1.html (MongoDB 4.0 has SCRAM-SHA-1 and SCRAM-SHA-256)
• jabberd2 (XMPP server): https://github.com/jabberd2/jabberd2
• Ignite Realtime Openfire (XMPP server): https://igniterealtime.org/projects/openfire/
• Ignite Realtime Pàdé: https://igniterealtime.org/projects/pade/
• SASL : SCRAM-SHA-1 (js-sasl-scram-sha-1) // ARCHIVED: https://github.com/legastero/js-sasl-scram-sha-1
• SASL : SCRAM-SHA-1 (js-sasl-scram-sha-1): https://www.npmjs.com/package/sasl-scram-sha-1 + https://github.com/mwild1/js-sasl-scram-sha-1
• authentication using scram (Auth-SCRAM): https://github.com/MARTIMM/Auth-SCRAM
• MatriX vNext: https://github.com/matrix-xmpp/matrix-vnext
• MatriX-JS: https://github.com/matrix-xmpp/matrix-js
• Horde (PHP Webmail / Groupware): https://www.horde.org/ + https://github.com/horde + https://github.com/horde/Imap_Client + https://bugs.horde.org/ticket/15146
• Movim: https://movim.eu/
• Nextcloud Mail: https://nextcloud.com/ + Support strong authentication nextcloud/mail#3146 + Add horde_stringprep to support SCRAM-SHA-1 nextcloud/mail#4377
• xmpp.js (XMPP library): https://github.com/xmppjs/xmpp.js
• Pandion (XMPP client): https://github.com/pandion/pandion
• Tkabber (XMPP client): http://tkabber.jabber.ru/
• react-native-xmpp: https://www.npmjs.com/package/react-native-xmpp
• SASL::SCRAM: https://core.tcl-lang.org/tcllib/doc/trunk/embedded/md/tcllib/files/modules/sasl/scram.md
• SCRAM (Salted Challenge Response Authentication Mechanism) Implementation in Erlang (scramerl): https://github.com/erdemaksu/scramerl
• SCRAM (Salted Challenge Response Authentication Mechanism) Implementation in Go: https://github.com/erdemaksu/scram
• go-scram-sha1: https://github.com/c0nrad/go-scram-sha1
• TypeScript client SCRAM authentication library: https://www.npmjs.com/package/@j2inn/scram
• cl-scram: https://github.com/mprelude/cl-scram
• Pontarius XMPP client library for Haskell (XMPP library): https://github.com/pontarius/pontarius-xmpp
• Artalk.Xmpp (XMPP library): https://github.com/araditc/Artalk.Xmpp
• S22.Xmpp (XMPP library): https://github.com/smiley22/S22.Xmpp
• Protocol implementation for Bosch XMPP protocols (bosch-xmpp): https://github.com/robertklep/bosch-xmpp
• ocaml-xmppl: https://codeberg.org/openEngiadina/ocaml-xmppl + https://github.com/openEngiadina/ocaml-xmppl
• Simple XMPP library in Rust: https://github.com/Florob/rust-xmpp
• The MongoDB driver for Go: https://github.com/go-mgo/mgo
• The MongoDB driver for Go: https://github.com/globalsign/mgo
• DefinitelyTyped: The repository for high quality TypeScript type definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
• Apache Qpid Dispatch: https://github.com/apache/qpid-dispatch
• Apache Qpid Proton: https://github.com/apache/qpid-proton
• Apache Qpid Proton-J: https://github.com/apache/qpid-proton-j
• Apache Hop Orchestration Platform: https://github.com/apache/hop

NOTHING:

• jabberd (XMPP server): https://github.com/mawis/jabberd
• Thunderbird (POP/IMAP/SMTP/LDAP/-PLUS): https://thunderbird.net/ // IMAP (https://bugzilla.mozilla.org/show_bug.cgi?id=1503382) + POP (https://bugzilla.mozilla.org/show_bug.cgi?id=1597102) + SMTP (https://bugzilla.mozilla.org/show_bug.cgi?id=1597103) + LDAP (https://bugzilla.mozilla.org/show_bug.cgi?id=1597106) + -PLUS (https://bugzilla.mozilla.org/show_bug.cgi?id=563276)
• PHP: https://github.com/php/php-src + https://bugs.php.net/bug.php?id=80344 + https://bugs.php.net/bug.php?id=70679 + Add support for SCRAM-SHA-*-PLUS channel binding in PHP streams (e.g., tls-unique, tls-exporter) php/php-src#16766
• Roundcube: http://roundcube.net/
• SOGo: https://www.sogo.nu/
• Owncloud: https://owncloud.com/
• Mutt: http://mutt.org/
• Courier: http://www.courier-mta.org/
• hMailServer: https://github.com/hmailserver/hmailserver + https://www.hmailserver.com/
• K9/Thunderbird: https://k9mail.app/
• MailCore: https://github.com/MailCore
• Mail Framework for C Language: libetpan: https://github.com/dinhvh/libetpan
• js-sasl (saslmechanisms): https://github.com/jaredhanson/js-sasl
• Ignite Realtime Spark (XMPP client): https://igniterealtime.org/projects/spark/
• Jabber-Net fork (XMPP library): https://github.com/ForNeVeR/jabber-net
• Go package for implementing XMPP clients and components (go-xmpp) (XMPP library): https://github.com/xmppo/go-xmpp-atomatt
• go-xmpp (XMPP library): https://github.com/FluuxIO/go-xmpp
• Authen-SASL: https://metacpan.org/release/Authen-SASL + https://github.com/gbarr/perl-authen-sasl
• Haskell XMPP (XMPP library): https://hackage.haskell.org/package/haskell-xmpp
• sasl-php: https://github.com/OpenPrunus/sasl-php
• RainLoop (PHP Webmail): https://github.com/RainLoop/rainloop-webmail
• Mailu: https://github.com/Mailu/Mailu
• FairEmail: https://github.com/M66B/FairEmail
• Jenkins: https://issues.jenkins.io/browse/JENKINS-60705
• MailEnable: https://www.mailenable.com/ + https://www.mailenable.com/forum/viewtopic.php?t=44162
• Symfony: https://symfony.com/
• PHPMailer: https://github.com/PHPMailer/PHPMailer
• Nextcloud Server: https://nextcloud.com/ + https://github.com/nextcloud/server
• Laravel: https://github.com/laravel/framework + SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports laravel/framework#48053
• Zend: https://github.com/zendframework
• Xmpp client written in flutter utilizing Xmpp Stone library: https://github.com/vukoye/xmpp_flutter
• nodemailer: https://github.com/nodemailer/nodemailer + http://nodemailer.com/
• nodemailer/smtp-server: https://github.com/nodemailer/smtp-server
• WildDuck Mail Server: https://github.com/nodemailer/wildduck + https://wildduck.email/

UNKNOWN:

• MDaemon Messaging Server: https://mdaemon.com/
• MDaemon Instant Messenger (MDIM): https://mdaemon.com/
• IceWarp Server Instant Messaging: https://icewarp.com/
• IceWarp Desktop Client: https://icewarp.com/
• eM Client: https://www.emclient.com/