With PLAIN auth enabled prosody and my client calculate the same downgrade protection hash (calc is calculated by my client, recv is what my client receives from prosody): ``` raw: OAUTHBEARER,PLAIN,SCRAM-SHA-1,SCRAM-SHA-1-PLUS|tls-exporter calc: fXNRzKJ3ccSa9fGXEJotLadWM5g= recv: fXNRzKJ3ccSa9fGXEJotLadWM5g= ``` If I disable PLAIN auth by setting `disable_sasl_mechanisms = { "PLAIN" } ` there is a discrepancy between the downgrade protection hashes: ``` raw: OAUTHBEARER,SCRAM-SHA-1,SCRAM-SHA-1-PLUS|tls-exporter calc: KLdxyd14RVfso6sao6+8+xGr/Lc= recv: fXNRzKJ3ccSa9fGXEJotLadWM5g= ``` As the downgrade protection hash sent from prosody is identical in both cases it seems that mod_sasl_ssdp ignores the deactivation of PLAIN.

Thanks for the report I think we discussed this in the chat. Was this a problem with mod_sasl_ssdp not taking disable_sasl_mechanisms etc into account?

• tags Component-Community

Yes, exactly.

Using Thilos [patches](https://groups.google.com/g/prosody-dev/c/XpdWuJv_-hM/m/-GZGtzVMBgAJ) it works for me: ``` raw: OAUTHBEARER,SCRAM-SHA-1,SCRAM-SHA-1-PLUS|tls-exporter calc: KLdxyd14RVfso6sao6+8+xGr/Lc= recv: KLdxyd14RVfso6sao6+8+xGr/Lc= downgrade protection success ```