<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le mer. 17 juin 2020 à 08:29, Olle E. Johansson <<a href="mailto:oej@edvina.net">oej@edvina.net</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Aymeric,<div>Good to hear from you!</div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">;)</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space"><div><br></div><div>There’s been some discussion in the IETF which we haven’t resolved on how to handle this. I think you need to setup</div><div>different domains or realms each with one auth algorithm. If you offer two at the same time - what’s the point?</div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">I don't understand why using different realm compared to one realm for both would be better?</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space"><div>You are still wide open for downgrade attacks and haven’t accomplished much. </div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Today, MD5 is used. If both MD5 and SHA-256 are proposed, it can't be worst in terms of security... It is true that it doesn't bring much!</div><div dir="auto"><br></div><div dir="auto">My intention is to start migration.</div><div dir="auto">I guess, today, the safest start is to choose at runtime based on the user-agent or some internal rules. In a later step, the old way would be removed.</div><div dir="auto"><br></div><div dir="auto">If people providing services don't start to use newer algo, there won't be any effort on the endpoint side.</div><div dir="auto"><br></div><div dir="auto">My initial complete objective: (theory)</div><div dir="auto">1/ offer bother md5 and sha-256 to user-agent which still use md5 and which are NOT broken in this mode. (Runtime decision)</div><div dir="auto">2/ offer only sha-256 to user-agent with sha-256 support.</div><div dir="auto">3/ offer only MD5 to user-agent with don't support sha-256 AND are broken if both are offered.</div><div dir="auto"><br></div><div dir="auto">I could also start with point 2 and 3 only, but would prefer to have 1/2/3...</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">Regards,</div><div dir="auto">Aymeric</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space"><div>I guess we will have to wait until the IETF resolves this issue, which propably applies to more protocols.</div><div>The big question is how to upgrade a user base to stronger authentication algorithms in HTTP Digest auth</div><div>without allowing downgrade attacks.</div><div><br></div><div>Cheers,</div><div>/O<br><div><br><blockquote type="cite"><div>On 16 Jun 2020, at 20:42, Henning Westerholt <<a href="mailto:hw@skalatan.de" target="_blank" rel="noreferrer">hw@skalatan.de</a>> wrote:</div><br><div><div style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span>Hello,<u></u><u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span><u></u> <u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB">take a look to this parameter, you can switch between MD5 and SHA256, but only use once at a time:<u></u><u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB"><u></u> <u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB"><a href="https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm" style="color:blue;text-decoration:underline" target="_blank" rel="noreferrer">https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm</a><u></u><u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB"><u></u> <u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB">About planned features – I am not aware of major extensions in this module. Of course, any contribution is welcome.<u></u><u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB"><u></u> <u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB">Cheers,<u></u><u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB"><u></u> <u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB">Henning<u></u><u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB"><u></u> <u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB">--<span> </span><u></u><u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB">Henning Westerholt –<span> </span></span><span><a href="https://skalatan.de/blog/" style="color:blue;text-decoration:underline" target="_blank" rel="noreferrer"><span lang="EN-GB" style="color:rgb(5,99,193)">https://skalatan.de/blog/</span></a></span><span lang="EN-GB"><u></u><u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB">Kamailio services –<span> </span></span><span><a href="https://gilawa.com/" style="color:blue;text-decoration:underline" target="_blank" rel="noreferrer"><span lang="EN-GB" style="color:rgb(5,99,193)">https://gilawa.com</span></a></span><span><span lang="EN-GB"><u></u><u></u></span></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-GB"><u></u> <u></u></span></div><div style="border-style:solid none none;border-top-width:1pt;border-top-color:rgb(225,225,225);padding:3pt 0cm 0cm"><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><b>From:</b><span> </span>sr-users <<a href="mailto:sr-users-bounces@lists.kamailio.org" style="color:blue;text-decoration:underline" target="_blank" rel="noreferrer">sr-users-bounces@lists.kamailio.org</a>><span> </span><b>On Behalf Of<span> </span></b>Aymeric Moizard<br><b>Sent:</b><span> </span>Monday, June 15, 2020 10:31 PM<br><b>To:</b><span> </span>Kamailio (SER) - Users Mailing List <<a href="mailto:sr-users@lists.kamailio.org" style="color:blue;text-decoration:underline" target="_blank" rel="noreferrer">sr-users@lists.kamailio.org</a>><br><b>Subject:</b><span> </span>[SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...<u></u><u></u></div></div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif">Hi All,<u></u><u></u></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif">I'd like to improve my setup by switching to SHA-256. <u></u><u></u></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif">However, as a first step, I would like to offer both MD5 and SHA-256<u></u><u></u></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif">in 2 different WWW-Authenticate header.<u></u><u></u></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif">If I'm correct, this is not doable with the latest auth module?<u></u><u></u></div></div><div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif">Is this a planned feature?<u></u><u></u></div></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif">As an alternative, I would like to decide the algorithm in the script<u></u><u></u></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif">instead of a module parameter. It looks to me this is also not doable?<u></u><u></u></div></div><div><div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif">Again, is this a planned feature?<u></u><u></u></div></div></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif">Thanks to all,<u></u><u></u></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif">Regards<u></u><u></u></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif">Aymeric<u></u><u></u></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif">--<span> </span><u></u><u></u></div><div><div style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><img border="0" width="48" height="48" id="m_4279969527978397384_x0000_i1025" src="http://sip.antisip.com/am48.png" style="width:0.5in;height:0.5in">Antisip -<span> </span><a href="http://www.antisip.com/" style="color:blue;text-decoration:underline" target="_blank" rel="noreferrer">http://www.antisip.com</a><u></u><u></u></div></div></div></div></div><span style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline!important">_______________________________________________</span><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline!important">Kamailio (SER) - Users Mailing List</span><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><a href="mailto:sr-users@lists.kamailio.org" style="color:blue;text-decoration:underline;font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="noreferrer">sr-users@lists.kamailio.org</a><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" style="color:blue;text-decoration:underline;font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="noreferrer">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a></div></blockquote></div><br></div></div>_______________________________________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank" rel="noreferrer">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div></div></div>