On 2/23/11 11:52 AM, Klaus Darilion wrote:
Am 23.02.2011 11:26, schrieb IƱaki Baz Castillo:
Hi, by reading auth_identity module documentation I get some doubts:
The doc examples use things like:
if (@identity) { t_reply("403", "Invalid Identity header"); drop; }
What is @identity ??
@xxx is a 'select', see ser's select framework:
To add here:
- the selects can be accessed via pseudo-variables framework, like: $sel(xxx) instead of @xxx
Cheers, Daniel
http://sip-router.org/docbook/sip-router/branch/master/select_list/select_li...
http://sip-router.org/wiki/ref_manual/selects
IMO the example looks a bit weird.
- When acting as verifier, the proxy must get the certificate via HTTP
from the URL given in the Identity-Info header of the request. The module doesn't include TCP/HTTP timeouts so, what would happen if an attacker set a non-responding domain in such header? would the kamailio/ser process block when trying to retrieve the certificate until the kernel returns error for the TCP establishment? (it could take even minutes!!!).
Try it. ;-)
The doc says:
1.6.2. auth_add_identity() [...] Note: this function needs the final outgoing message for
authorization, so no module may modify any digest string related headers (From, To, Call-ID, CSeq, Date, Contact) and body after auth_add_identity()'s been called
So we must be careful and don't use fix_contact(), force_rtpproxy() or whatever function modifying From/To/Contact/body. This means that this won't work in most of the cases (who doesn't deal with NATted clients?). The only solution seems to be calling msg_apply_changes(), but this doesn't seem to be very good. Am I wrong? So, is this module really usable in real environments? somebody using it?
You can do any modifications before auth_add_identity(), but not after auth_add_identity(). auth_add_identity() internally calls msg_apply_changes functionality.
regards klaus
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev