On 17 Jun 2020, at 17:22, Maxim Sobolev sobomax@sippysoft.com wrote:
Whoever works on this needs to consider two things I think:
- ability to select algorithms when challenging UAC (MD5-only, SHA256-only, SHA-512/256-only, all permutations). The RFC allows UAS to include multiple HFs(*). MD5-only should probably be the default. I suspect there might be a significantly non-trivial population of UACs that would get confused receiving multiple digests. Plus enabling challenges for all protocols would expand the size of 401s messages.
Agree, multiple challenges will break stuff. I’m not sure that implementations actually bother with parsing the algorithm parameter.
- ability to accept response in either of supported hashing methods or any combination of thereof. The reasonable default here is probably MD5-only for now, again to prevent the possibility of foul play when we only request MD5, while for some reason getting say SHA-256 back.
If you challenge with SHA512 only, you should not accept anything else.
-Max *) Example: 401 Unauthorized [..] WWW-Authenticate: Digest realm="http-auth@example.org mailto:http-auth@example.org", qop="auth, auth-int", algorithm=SHA-256, nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v", opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS" WWW-Authenticate: Digest realm="http-auth@example.org mailto:http-auth@example.org", qop="auth, auth-int", algorithm=MD5, nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v", opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS”
So the question is how to migrate. I don’t believe migrating within the same UA base will work smootlhy ever. If you have a provisioning system it is easy setting up a SIP subdomain, let’s say “strong.example.com http://strong.example.com/” and use that either for OB proxy or SIP domain, dependinig on your setup. By doing that, you can have a zone witih devices/clients that can handle stronger auth and *only* use that. For the old ones, keep them running until you reasonable can upgrade them.
Of course you can do this witih realms too, but that requires a strong realm implementation in the UA’s, something that SNOM had in the beginning but removed (maybe it was too hard to explain).
Cheers, /O
On Tue., Jun. 16, 2020, 12:13 p.m. Aymeric Moizard, <amoizard@gmail.com mailto:amoizard@gmail.com> wrote:
Le mar. 16 juin 2020 à 20:42, Henning Westerholt <hw@skalatan.de mailto:hw@skalatan.de> a écrit : Hello,
take a look to this parameter, you can switch between MD5 and SHA256, but only use once at a time:
https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorit... https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm
About planned features – I am not aware of major extensions in this module. Of course, any contribution is welcome.
Thanks for your answer. If I have some time, I might try to make a PR on being able to select the algorithm at runtime.
Regards, Aymeric
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/ https://skalatan.de/blog/ Kamailio services – https://gilawa.com https://gilawa.com/
From: sr-users <sr-users-bounces@lists.kamailio.org mailto:sr-users-bounces@lists.kamailio.org> On Behalf Of Aymeric Moizard Sent: Monday, June 15, 2020 10:31 PM To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org> Subject: [SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...
Hi All,
I'd like to improve my setup by switching to SHA-256.
However, as a first step, I would like to offer both MD5 and SHA-256
in 2 different WWW-Authenticate header.
If I'm correct, this is not doable with the latest auth module?
Is this a planned feature?
As an alternative, I would like to decide the algorithm in the script
instead of a module parameter. It looks to me this is also not doable?
Again, is this a planned feature?
Thanks to all,
Regards
Aymeric
--
Antisip - http://www.antisip.com http://www.antisip.com/
-- Antisip - http://www.antisip.com http://www.antisip.com/ _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users