Hi all,
Is it sane to use:
if (uri==myself) { if (method=="REGISTER") { if (!www_authorize("", "subscriber")) { www_challenge("", "0"); break; }; } else { if (!www_authorize("", "subscriber")) { if (!proxy_authorize("", "subscriber")) { proxy_challenge("", "0"); break; }; }; }; };
Or anything here appears to be wrong ?
Thank you.
www_authorize/www_challenge should be used in register. proxy_authorize/proxy_challenge in invite.
I don't see any need for the www_authorize in invite and I don't think any messages other than register and invite support authentication.
-----Original Message----- From: serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Thomas Britis Sent: Tuesday, August 23, 2005 12:16 PM To: serusers@lists.iptel.org Subject: [Serusers] www_challange and proxy_challange
Hi all,
Is it sane to use:
if (uri==myself) { if (method=="REGISTER") { if (!www_authorize("", "subscriber")) { www_challenge("", "0"); break; }; } else { if (!www_authorize("", "subscriber")) { if (!proxy_authorize("", "subscriber")) { proxy_challenge("", "0"); break; }; }; }; };
Or anything here appears to be wrong ?
Thank you.
Chris St Denis wrote:
www_authorize/www_challenge should be used in register. proxy_authorize/proxy_challenge in invite.
I don't see any need for the www_authorize in invite and I don't think any messages other than register and invite support authentication.
All SIP messages except CANCEL can be challenged. But due to broken SIP clients it is sometimes better to not authenticate BYE and ACK.
regards klaus
-----Original Message----- From: serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Thomas Britis Sent: Tuesday, August 23, 2005 12:16 PM To: serusers@lists.iptel.org Subject: [Serusers] www_challange and proxy_challange
Hi all,
Is it sane to use:
if (uri==myself) { if (method=="REGISTER") { if (!www_authorize("", "subscriber")) { www_challenge("", "0"); break; }; } else { if (!www_authorize("", "subscriber")) { if (!proxy_authorize("", "subscriber")) { proxy_challenge("", "0"); break; }; }; }; };
Or anything here appears to be wrong ?
Thank you.
Seems pointless to challenge an ACK.
Anyway, with ACK and BYE are they supposed to get proxy or www challenge?
-----Original Message----- From: Klaus Darilion [mailto:klaus.mailinglists@pernau.at] Sent: Tuesday, August 23, 2005 3:25 PM To: Chris St Denis Cc: 'Thomas Britis'; serusers@lists.iptel.org Subject: Re: [Serusers] www_challange and proxy_challange
Chris St Denis wrote:
www_authorize/www_challenge should be used in register. proxy_authorize/proxy_challenge in invite.
I don't see any need for the www_authorize in invite and I don't think any messages other than register and invite support authentication.
All SIP messages except CANCEL can be challenged. But due to broken SIP clients it is sometimes better to not authenticate BYE and ACK.
regards klaus
-----Original Message----- From: serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Thomas Britis Sent: Tuesday, August 23, 2005 12:16 PM To: serusers@lists.iptel.org Subject: [Serusers] www_challange and proxy_challange
Hi all,
Is it sane to use:
if (uri==myself) { if (method=="REGISTER") { if (!www_authorize("", "subscriber")) { www_challenge("", "0"); break; }; } else { if (!www_authorize("", "subscriber")) { if (!proxy_authorize("", "subscriber")) { proxy_challenge("", "0"); break; }; }; }; };
Or anything here appears to be wrong ?
Thank you.
If the proxy is the endpoint of the request, it should use www_auth. If the proxy is an intermediate hop, it should use proxy_auth.
Thus, usually you use: - www_auth for REGISTER - proxy_auth for INVITE, BYE, MESSAGE, ...
I'm little bit unsure how to challange PUBLISH and SUBSCRIBE as they might be terminated in the proxy (pa module) or in the client (end2end presence).
My personal opinion: authentication of out-of-dialog messages is a must. authentication of in-dialog requests should be relaxed due to broken clients.
regards klaus
Chris St Denis wrote:
Seems pointless to challenge an ACK.
Anyway, with ACK and BYE are they supposed to get proxy or www challenge?
-----Original Message----- From: Klaus Darilion [mailto:klaus.mailinglists@pernau.at] Sent: Tuesday, August 23, 2005 3:25 PM To: Chris St Denis Cc: 'Thomas Britis'; serusers@lists.iptel.org Subject: Re: [Serusers] www_challange and proxy_challange
Chris St Denis wrote:
www_authorize/www_challenge should be used in register. proxy_authorize/proxy_challenge in invite.
I don't see any need for the www_authorize in invite and I don't think any messages other than register and invite support authentication.
All SIP messages except CANCEL can be challenged. But due to broken SIP clients it is sometimes better to not authenticate BYE and ACK.
regards klaus
-----Original Message----- From: serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Thomas Britis Sent: Tuesday, August 23, 2005 12:16 PM To: serusers@lists.iptel.org Subject: [Serusers] www_challange and proxy_challange
Hi all,
Is it sane to use:
if (uri==myself) { if (method=="REGISTER") { if (!www_authorize("", "subscriber")) { www_challenge("", "0"); break; }; } else { if (!www_authorize("", "subscriber")) { if (!proxy_authorize("", "subscriber")) { proxy_challenge("", "0"); break; }; }; }; };
Or anything here appears to be wrong ?
Thank you.
On 24-08-2005 09:31, Klaus Darilion wrote:
If the proxy is the endpoint of the request, it should use www_auth. If the proxy is an intermediate hop, it should use proxy_auth.
Thus, usually you use:
- www_auth for REGISTER
- proxy_auth for INVITE, BYE, MESSAGE, ...
I'm little bit unsure how to challange PUBLISH and SUBSCRIBE as they might be terminated in the proxy (pa module) or in the client (end2end presence).
A good implementation should not care whether it gets proxy_auth or www_auth, it can also get both in the same message in more complex scenarios (this is rarely supported in user agents).
Jan.
-
Chris St Denis -
Jan Janak -
Klaus Darilion -
Thomas Britis