Martin Hoffmann writes:
My plan was to eventually start a branch of my own in git. Haven't gotten round to it yet.
i would do it so that if www or proxy_authorize function returns -4 (stale nonce) then i would call www or proxy_challenge with stale flag on. it would then cause stale=true to be added to the header.
That would be an option, too, but IMHO it makes the whole authorization bit in the config unnecessarily messy.
why is that? i now have,
if (!radius_proxy_authorize("$var(uri_domain)", "$var(uri_user)")) { switch ($rc) { ... case -4: xlog("L_INFO", "$rm <$ru> by <$var(uri)> has stale nonce\n"); www_challenge("$td", "1"); exit;
the only thing i would need to change is www_challenge flag parameter value from "1" to "9".
currently README says:
1.4.2. www_challenge(realm, flags) ... * flags - Value of this parameter can be a bitmask of following: + 1 - build challenge header with qop=auth + 2 - build challenge header with qop=auth-int + 4 - do not send '500 Internal Server Error' reply automatically in failure cases (error code is returned to config)
so i propose adding this:
+ 8 - build challenge header with stale=true
it would be a simple, fully backwards compatible new feature.
-- juha