tks, that cleared it up ...I think :-), interesting that there are so many levels of auth for a call, am sure alot of setups have a few open holes in them
Iqbal
Greger V. Teigre wrote:
A quick reply without verifying, so no guarantees on the quality of the answers...
www_authorize , will this always fail, ? because it seems to and then a www.challenge is sent.
If the message has included digest credentials and the nonce value has not expired, it will not fail, but just verify the credentials without an extra authentication.
In www.challenge, is it okay to leave the realm blank, as I have done, or is it better practice to have the same realm as that in www_authorise("", "1");
I think leaving it blank (both www_authorize and challenge) is better if you have multiple domains, as the realm will be implicit. However, I believe you should either set both or none.
check_to should only be run if auth is correct above , is that correct?
That's correct.
Why run check_to at all, ?
Because the username and authorization can be set to different values. As the username is registered as the location, you can for example use email address for authentication and a phone number for username. The user will then be accessible through the phone number, but not email address. However, the user may configure the device with ANY phone number unless you check that the username is allowed for this particular authentication user. This check is what check_to enforces by making sure that authentication user and username are equal.
and then u have proxy_auth and proxy_challenge, and is_from_local and is_uri_local, surely all these dont need to be used as checks in INVITE or do they.
The first two are for security, the last two are for routing: is_from_local checks the caller's domain part agains the DB of local domains. If you use domain when authentication the INVITE, you don't need is_from_local as a security measure, but rather as a way to detect messages from local UACs. is_uri_local does the same for the destination (callee) to determine whether it's local.
g-)
.