Le mer. 17 juin 2020 à 08:29, Olle E. Johansson <oej@edvina.net> a écrit :
Aymeric,
Good to hear from you!

;)

There’s been some discussion in the IETF which we haven’t resolved on how to handle this. I think you need to setup
different domains or realms each with one auth algorithm. If you offer two at the same time - what’s the point?

I don't understand why using different realm compared to one realm for both would be better?

You are still wide open for downgrade attacks and haven’t accomplished much. 

Today, MD5 is used. If both MD5 and SHA-256 are proposed, it can't be worst in terms of security... It is true that it doesn't bring much!

My intention is to start migration.
I guess, today, the safest start is to choose at runtime based on the user-agent or some internal rules. In a later step, the old way would be removed.

If people providing services don't start to use newer algo, there won't be any effort on the endpoint side.

My initial complete objective: (theory)
1/ offer bother md5 and sha-256 to user-agent which still use md5 and which are NOT broken in this mode. (Runtime decision)
2/ offer only sha-256 to user-agent with sha-256 support.
3/ offer only MD5 to user-agent with don't support sha-256 AND are broken if both are offered.

I could also start with point 2 and 3 only, but would prefer to have 1/2/3...


Regards,
Aymeric

I guess we will have to wait until the IETF resolves this issue, which propably applies to more protocols.
The big question is how to upgrade a user base to stronger authentication algorithms in HTTP Digest auth
without allowing downgrade attacks.

Cheers,
/O

On 16 Jun 2020, at 20:42, Henning Westerholt <hw@skalatan.de> wrote:

Hello,
 
take a look to this parameter, you can switch between MD5 and SHA256, but only use once at a time:
 
 
About planned features – I am not aware of major extensions in this module. Of course, any contribution is welcome.
 
Cheers,
 
Henning
 
-- 
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
 
From: sr-users <sr-users-bounces@lists.kamailio.org> On Behalf Of Aymeric Moizard
Sent: Monday, June 15, 2020 10:31 PM
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Subject: [SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...
 
Hi All,
 
I'd like to improve my setup by switching to SHA-256. 
However, as a first step, I would like to offer both MD5 and SHA-256
in 2 different WWW-Authenticate header.
 
If I'm correct, this is not doable with the latest auth module?
Is this a planned feature?
 
As an alternative, I would like to decide the algorithm in the script
instead of a module parameter. It looks to me this is also not doable?
Again, is this a planned feature?
 
Thanks to all,
 
Regards
Aymeric
 
-- 
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users