[OpenSER-Devel] nonce errors in trunk

Iñaki Baz Castillo ibc at in.ilimit.es
Fri Jun 6 18:37:23 CEST 2008 

El Friday 06 June 2008 18:23:09 Iñaki Baz Castillo escribió:
> El Friday 06 June 2008 17:46:14 Bogdan-Andrei Iancu escribió:
> > Hi Iñaki,
> >
> > could you please point me to the RFC section?

More info:

22.1 Framework

   Under an authentication scheme that uses responses to carry values
   used to compute nonces (such as Digest), some problems come up for
   any requests that take no response, including ACK.  For this reason,
   any credentials in the INVITE that were accepted by a server MUST be
   accepted by that server for the ACK.  UACs creating an ACK message
   will duplicate all of the Authorization and Proxy-Authorization
   header field values that appeared in the INVITE to which the ACK
   corresponds.  Servers MUST NOT attempt to challenge an ACK.

   Although the CANCEL method does take a response (a 2xx), servers MUST
   NOT attempt to challenge CANCEL requests since these requests cannot
   be resubmitted.  Generally, a CANCEL request SHOULD be accepted by a
   server if it comes from the same hop that sent the request being
   canceled (provided that some sort of transport or network layer
   security association, as described in Section 26.2.1, is in place).



Many UAC's don't add credentials in ACK for 2XX, and normally OpenSer doesn't 
ask authentication for those ACK's, but if it would ask for authentication 
then the already sent credentials in the INVITE MUST be valid in the ACK. So 
in this case OpenSer MUST allow reusing credentials and not challenge the 
ACK.



Also take in consideration this text:


 22.3 Proxy-to-User Authentication
 
  If a UA receives a Proxy-Authenticate header field value in a 401/407
   response to a request with a particular Call-ID, it should
   incorporate credentials for that realm in all subsequent requests
   that contain the same Call-ID.  These credentials MUST NOT be cached
   across dialogs; however, if a UA is configured with the realm of its
   local outbound proxy, when one exists, then the UA MAY cache
   credentials for that realm across dialogs.  Note that this does mean
   a future request in a dialog could contain credentials that are not
   needed by any proxy along the Route header path.


It says that a UAC should reuse credentials for in-dialog requests (if they 
are challenged). I know that there is not a MUST but...


Regards.

-- 
Iñaki Baz Castillo
ibc at in.ilimit.es

More information about the Devel mailing list