<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 17 Jun 2020, at 17:22, Maxim Sobolev <<a href="mailto:sobomax@sippysoft.com" class="">sobomax@sippysoft.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="auto" class="">Whoever works on this needs to consider two things I think:<div dir="auto" class=""><br class=""></div><div dir="auto" class="">- ability to select algorithms when challenging UAC (MD5-only, SHA256-only, <span style="font-size: 13.3333px;" class="">SHA-512/256-only, all permutations</span>).
The RFC allows UAS to include multiple HFs(*).
MD5-only should probably be the default. I suspect there might be a significantly non-trivial population of UACs that would get confused receiving multiple digests.
Plus enabling challenges for all protocols would expand the size of 401s messages. </div></div></div></div></div></blockquote>Agree, multiple challenges will break stuff. I’m not sure that implementations actually bother with parsing the algorithm parameter.<br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="auto" class=""><div dir="auto" class=""><br class=""></div><div dir="auto" class="">- ability to accept response in either of supported hashing methods or any combination of thereof. The reasonable default here is probably MD5-only for now, again to prevent the possibility of foul play when we only request MD5, while for some reason getting say SHA-256 back.</div></div></div></div></div></blockquote>If you challenge with SHA512 only, you should not accept anything else.</div><div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="auto" class=""><div dir="auto" class=""><br class=""></div><div class="">-Max</div><div class=""><pre class="gmail-newpage" style="font-size: 13.3333px; margin-top: 0px; margin-bottom: 0px; break-before: page;">*) Example:</pre><pre class="gmail-newpage" style="font-size: 13.3333px; margin-top: 0px; margin-bottom: 0px; break-before: page;">401 Unauthorized</pre><pre class="gmail-newpage" style="font-size: 13.3333px; margin-top: 0px; margin-bottom: 0px; break-before: page;">[..]
WWW-Authenticate: Digest
realm="<a href="mailto:http-auth@example.org" class="">http-auth@example.org</a>",
qop="auth, auth-int",
algorithm=SHA-256,
nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"
WWW-Authenticate: Digest
realm="<a href="mailto:http-auth@example.org" class="">http-auth@example.org</a>",
qop="auth, auth-int",
algorithm=MD5,
nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS”
</pre></div></div></div></div></div></blockquote><div><br class=""></div>So the question is how to migrate. I don’t believe migrating within the same UA base will work smootlhy ever. If you have a provisioning system</div><div>it is easy setting up a SIP subdomain, let’s say “<a href="http://strong.example.com" class="">strong.example.com</a>” and use that either for OB proxy or SIP domain, dependinig on your setup.</div><div>By doing that, you can have a zone witih devices/clients that can handle stronger auth and *only* use that. For the old ones, keep them</div><div>running until you reasonable can upgrade them. </div><div><br class=""></div><div>Of course you can do this witih realms too, but that requires a strong realm implementation in the UA’s, something that SNOM had in</div><div>the beginning but removed (maybe it was too hard to explain).</div><div><br class=""></div><div>Cheers,</div><div>/O</div><div><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="auto" class=""><div class=""><br class="gmail-Apple-interchange-newline"></div></div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue., Jun. 16, 2020, 12:13 p.m. Aymeric Moizard, <<a href="mailto:amoizard@gmail.com" target="_blank" class="">amoizard@gmail.com</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr" class=""><div dir="ltr" class=""><br class=""></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le mar. 16 juin 2020 à 20:42, Henning Westerholt <<a href="mailto:hw@skalatan.de" rel="noreferrer" target="_blank" class="">hw@skalatan.de</a>> a écrit :<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="DE" class="">
<div class=""><p class="MsoNormal"><span class="">Hello,<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span lang="EN-GB" class="">take a look to this parameter, you can switch between MD5 and SHA256, but only use once at a time:<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span lang="EN-GB" class=""><a href="https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm" rel="noreferrer" target="_blank" class="">https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm</a>
<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span lang="EN-GB" class="">About planned features – I am not aware of major extensions in this module. Of course, any contribution is welcome.<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span lang="EN-GB" class=""><u class=""></u></span></p></div></div></blockquote><div class=""><br class=""></div><div class="">Thanks for your answer.</div><div class="">If I have some time, I might try to make a PR on being able to select the algorithm at runtime.</div><div class=""><br class=""></div><div class="">Regards,</div><div class="">Aymeric</div><div class=""> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="DE" class=""><div class=""><p class="MsoNormal"><span lang="EN-GB" class=""> <u class=""></u></span></p><p class="MsoNormal"><span lang="EN-GB" class="">Cheers,<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span lang="EN-GB" class="">Henning<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span lang="EN-GB" class="">-- <u class=""></u>
<u class=""></u></span></p><p class="MsoNormal"><span lang="EN-GB" class="">Henning Westerholt –
</span><span class=""><a href="https://skalatan.de/blog/" rel="noreferrer" target="_blank" class=""><span lang="EN-GB" style="color:rgb(5,99,193)" class="">https://skalatan.de/blog/</span></a></span><span lang="EN-GB" class=""><u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span lang="EN-GB" class="">Kamailio services –
</span><span class=""><a href="https://gilawa.com/" rel="noreferrer" target="_blank" class=""><span lang="EN-GB" style="color:rgb(5,99,193)" class="">https://gilawa.com</span></a></span><span class="">
<span lang="EN-GB" class=""><u class=""></u><u class=""></u></span></span></p><p class="MsoNormal"><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></p>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0cm 0cm" class=""><p class="MsoNormal" style="margin-left:35.4pt"><b class="">From:</b> sr-users <<a href="mailto:sr-users-bounces@lists.kamailio.org" rel="noreferrer" target="_blank" class="">sr-users-bounces@lists.kamailio.org</a>>
<b class="">On Behalf Of </b>Aymeric Moizard<br class="">
<b class="">Sent:</b> Monday, June 15, 2020 10:31 PM<br class="">
<b class="">To:</b> Kamailio (SER) - Users Mailing List <<a href="mailto:sr-users@lists.kamailio.org" rel="noreferrer" target="_blank" class="">sr-users@lists.kamailio.org</a>><br class="">
<b class="">Subject:</b> [SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...<u class=""></u><u class=""></u></p>
</div><p class="MsoNormal" style="margin-left:35.4pt"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt">Hi All,<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt">I'd like to improve my setup by switching to SHA-256. <u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt">However, as a first step, I would like to offer both MD5 and SHA-256<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt">in 2 different WWW-Authenticate header.<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt">If I'm correct, this is not doable with the latest auth module?<u class=""></u><u class=""></u></p>
</div>
<div class="">
<div class=""><p class="MsoNormal" style="margin-left:35.4pt">Is this a planned feature?<u class=""></u><u class=""></u></p>
</div>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt">As an alternative, I would like to decide the algorithm in the script<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt">instead of a module parameter. It looks to me this is also not doable?<u class=""></u><u class=""></u></p>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="margin-left:35.4pt">Again, is this a planned feature?<u class=""></u><u class=""></u></p>
</div>
</div>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt">Thanks to all,<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt">Regards<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt">Aymeric<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt">-- <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal" style="margin-left:35.4pt"><img border="0" width="48" height="48" style="width: 0.5in; height: 0.5in;" id="gmail-m_8869182984838928819m_3767161181713272614gmail-m_-1831920577507351277_x0000_i1025" src="http://sip.antisip.com/am48.png" class="">Antisip -
<a href="http://www.antisip.com/" rel="noreferrer" target="_blank" class="">http://www.antisip.com</a><u class=""></u><u class=""></u></p>
</div>
</div>
</div>
</div>
</div>
</blockquote></div><br clear="all" class=""><div class=""><br class=""></div>-- <br class=""><div dir="ltr" class=""><img src="http://sip.antisip.com/am48.png" class="">Antisip - <a href="http://www.antisip.com/" rel="noreferrer" target="_blank" class="">http://www.antisip.com</a><br class=""></div></div>
_______________________________________________<br class="">
Kamailio (SER) - Users Mailing List<br class="">
<a href="mailto:sr-users@lists.kamailio.org" rel="noreferrer" target="_blank" class="">sr-users@lists.kamailio.org</a><br class="">
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer noreferrer" target="_blank" class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br class="">
</blockquote></div>
</div>
</div></blockquote></div><br class=""></body></html>