<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 17 Jun 2020, at 10:58, Aymeric Moizard <<a href="mailto:amoizard@gmail.com" class="">amoizard@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="auto" class=""><div class=""><br class=""><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le mer. 17 juin 2020 à 08:29, Olle E. Johansson <<a href="mailto:oej@edvina.net" class="">oej@edvina.net</a>> a écrit :<br class=""></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space" class="">Aymeric,<div class="">Good to hear from you!</div></div></blockquote></div></div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">;)</div><div dir="auto" class=""><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space" class=""><div class=""><br class=""></div><div class="">There’s been some discussion in the IETF which we haven’t resolved on how to handle this. I think you need to setup</div><div class="">different domains or realms each with one auth algorithm. If you offer two at the same time - what’s the point?</div></div></blockquote></div></div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">I don't understand why using different realm compared to one realm for both would be better?</div></div></div></blockquote>Each realm would have a *SINGLE* auth algorithm.</div><div class=""><br class=""><blockquote type="cite" class=""><div class=""><div dir="auto" class=""><div dir="auto" class=""><br class=""></div><div dir="auto" class=""><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space" class=""><div class="">You are still wide open for downgrade attacks and haven’t accomplished much. </div></div></blockquote></div></div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">Today, MD5 is used. If both MD5 and SHA-256 are proposed, it can't be worst in terms of security... It is true that it doesn't bring much!</div></div></div></blockquote>Right, if you think you are raising security, you’re wrong… That’s a problem.</div><div class=""><br class=""><blockquote type="cite" class=""><div class=""><div dir="auto" class=""><div dir="auto" class=""><br class=""></div><div dir="auto" class="">My intention is to start migration.</div><div dir="auto" class="">I guess, today, the safest start is to choose at runtime based on the user-agent or some internal rules. In a later step, the old way would be removed.</div></div></div></blockquote>Maybe, but in many cases that will never happen because you have legacy phones that hang around until the end of time.</div><div class="">We need to find a decent way to make segments of your network require stronger algorithms and don’t offer downgrades. Basing that on user-agent headers is not a working solution - and you know it :-)</div><div class=""><br class=""><blockquote type="cite" class=""><div class=""><div dir="auto" class=""><div dir="auto" class=""><br class=""></div><div dir="auto" class="">If people providing services don't start to use newer algo, there won't be any effort on the endpoint side.</div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">My initial complete objective: (theory)</div><div dir="auto" class="">1/ offer bother md5 and sha-256 to user-agent which still use md5 and which are NOT broken in this mode. (Runtime decision)</div><div dir="auto" class="">2/ offer only sha-256 to user-agent with sha-256 support.</div><div dir="auto" class="">3/ offer only MD5 to user-agent with don't support sha-256 AND are broken if both are offered.</div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">I could also start with point 2 and 3 only, but would prefer to have 1/2/3…</div></div></div></blockquote>Check RFC 8760 for advice and hints on this.</div><div class=""><br class=""></div><div class="">Cheers</div><div class="">/O<br class=""><blockquote type="cite" class=""><div class=""><div dir="auto" class=""><div dir="auto" class=""><br class=""></div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">Regards,</div><div dir="auto" class="">Aymeric</div><div dir="auto" class=""><br class=""></div><div dir="auto" class=""><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space" class=""><div class="">I guess we will have to wait until the IETF resolves this issue, which propably applies to more protocols.</div><div class="">The big question is how to upgrade a user base to stronger authentication algorithms in HTTP Digest auth</div><div class="">without allowing downgrade attacks.</div><div class=""><br class=""></div><div class="">Cheers,</div><div class="">/O<br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 16 Jun 2020, at 20:42, Henning Westerholt <<a href="mailto:hw@skalatan.de" target="_blank" rel="noreferrer" class="">hw@skalatan.de</a>> wrote:</div><br class=""><div class=""><div style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none" class=""><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span class="">Hello,<u class=""></u><u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span class=""><u class=""></u> <u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">take a look to this parameter, you can switch between MD5 and SHA256, but only use once at a time:<u class=""></u><u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""><a href="https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm" style="color:blue;text-decoration:underline" target="_blank" rel="noreferrer" class="">https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm</a><u class=""></u><u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">About planned features – I am not aware of major extensions in this module. Of course, any contribution is welcome.<u class=""></u><u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">Cheers,<u class=""></u><u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">Henning<u class=""></u><u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">--<span class=""> </span><u class=""></u><u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">Henning Westerholt –<span class=""> </span></span><span class=""><a href="https://skalatan.de/blog/" style="color:blue;text-decoration:underline" target="_blank" rel="noreferrer" class=""><span lang="EN-GB" style="color:rgb(5,99,193)" class="">https://skalatan.de/blog/</span></a></span><span lang="EN-GB" class=""><u class=""></u><u class=""></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">Kamailio services –<span class=""> </span></span><span class=""><a href="https://gilawa.com/" style="color:blue;text-decoration:underline" target="_blank" rel="noreferrer" class=""><span lang="EN-GB" style="color:rgb(5,99,193)" class="">https://gilawa.com</span></a></span><span class=""><span lang="EN-GB" class=""><u class=""></u><u class=""></u></span></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></div><div style="border-style:solid none none;border-top-width:1pt;border-top-color:rgb(225,225,225);padding:3pt 0cm 0cm" class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><b class="">From:</b><span class=""> </span>sr-users <<a href="mailto:sr-users-bounces@lists.kamailio.org" style="color:blue;text-decoration:underline" target="_blank" rel="noreferrer" class="">sr-users-bounces@lists.kamailio.org</a>><span class=""> </span><b class="">On Behalf Of<span class=""> </span></b>Aymeric Moizard<br class=""><b class="">Sent:</b><span class=""> </span>Monday, June 15, 2020 10:31 PM<br class=""><b class="">To:</b><span class=""> </span>Kamailio (SER) - Users Mailing List <<a href="mailto:sr-users@lists.kamailio.org" style="color:blue;text-decoration:underline" target="_blank" rel="noreferrer" class="">sr-users@lists.kamailio.org</a>><br class=""><b class="">Subject:</b><span class=""> </span>[SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...<u class=""></u><u class=""></u></div></div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">Hi All,<u class=""></u><u class=""></u></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">I'd like to improve my setup by switching to SHA-256. <u class=""></u><u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">However, as a first step, I would like to offer both MD5 and SHA-256<u class=""></u><u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">in 2 different WWW-Authenticate header.<u class=""></u><u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">If I'm correct, this is not doable with the latest auth module?<u class=""></u><u class=""></u></div></div><div class=""><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">Is this a planned feature?<u class=""></u><u class=""></u></div></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">As an alternative, I would like to decide the algorithm in the script<u class=""></u><u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">instead of a module parameter. It looks to me this is also not doable?<u class=""></u><u class=""></u></div></div><div class=""><div class=""><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">Again, is this a planned feature?<u class=""></u><u class=""></u></div></div></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">Thanks to all,<u class=""></u><u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">Regards<u class=""></u><u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">Aymeric<u class=""></u><u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">--<span class=""> </span><u class=""></u><u class=""></u></div><div class=""><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><img border="0" width="48" height="48" id="m_4279969527978397384_x0000_i1025" src="http://sip.antisip.com/am48.png" style="width:0.5in;height:0.5in" class="">Antisip -<span class=""> </span><a href="http://www.antisip.com/" style="color:blue;text-decoration:underline" target="_blank" rel="noreferrer" class="">http://www.antisip.com</a><u class=""></u><u class=""></u></div></div></div></div></div><span style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline!important" class="">_______________________________________________</span><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none" class=""><span style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline!important" class="">Kamailio (SER) - Users Mailing List</span><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none" class=""><a href="mailto:sr-users@lists.kamailio.org" style="color:blue;text-decoration:underline;font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="noreferrer" class="">sr-users@lists.kamailio.org</a><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none" class=""><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" style="color:blue;text-decoration:underline;font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="noreferrer" class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a></div></blockquote></div><br class=""></div></div>_______________________________________________<br class="">
Kamailio (SER) - Users Mailing List<br class="">
<a href="mailto:sr-users@lists.kamailio.org" target="_blank" rel="noreferrer" class="">sr-users@lists.kamailio.org</a><br class="">
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer noreferrer" target="_blank" class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br class="">
</blockquote></div></div></div>
_______________________________________________<br class="">Kamailio (SER) - Users Mailing List<br class=""><a href="mailto:sr-users@lists.kamailio.org" class="">sr-users@lists.kamailio.org</a><br class=""><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br class=""></div></blockquote></div><br class=""></div></div></body></html>