I have finished the SCRAM implementation in GNU SASL. The remaining feature to be added were support for the “enhanced” SCRAM-SHA-1-PLUS variant instead of just the normal SCRAM-SHA-1 mechanism. The difference is that the latter supports channel bindings to TLS, which makes it possible to detect man-in-the-middle attacks even if TLS is not used with server authentication. In GnuTLS we recently added an API for applications to extract channel bindings, which you will need to use in order to use SCRAM-SHA-1-PLUS. I announced the experimental version 1.5.4 release together with a writeup on how to test it. With this, our support for SCRAM should be complete.
Pingback: On Password Hashing and RFC 6070 « Simon Josefsson's blog
re RFC section 6
“If the server would never succeed in the authentication of the non-PLUS-variant due to policy reasons, it MUST advertise only the PLUS-variant.”
What would some of your “nevers” be?
The simplest and probably most likely example would be if the server admin has a policy that require strict PLUS-only authentication. Then it makes no sense to advertise non-PLUS because that would (by their policy) never be able to complete.