[sr-dev] Some question about auth_identity module
Iñaki Baz Castillo
ibc at aliax.net
Wed Feb 23 11:26:03 CET 2011
Hi, by reading auth_identity module documentation I get some doubts:
- The doc examples use things like:
if (@identity) {
t_reply("403", "Invalid Identity header");
drop;
}
What is @identity ??
- When acting as verifier, the proxy must get the certificate via HTTP
from the URL given in the Identity-Info header of the request. The
module doesn't include TCP/HTTP timeouts so, what would happen if an
attacker set a non-responding domain in such header? would the
kamailio/ser process block when trying to retrieve the certificate
until the kernel returns error for the TCP establishment? (it could
take even minutes!!!).
- The doc says:
1.6.2. auth_add_identity()
[...]
Note: this function needs the final outgoing message for
authorization, so no
module may modify any digest string related headers (From, To,
Call-ID, CSeq,
Date, Contact) and body after auth_add_identity()'s been called
So we must be careful and don't use fix_contact(), force_rtpproxy() or
whatever function modifying From/To/Contact/body. This means that this
won't work in most of the cases (who doesn't deal with NATted
clients?). The only solution seems to be calling msg_apply_changes(),
but this doesn't seem to be very good. Am I wrong? So, is this module
really usable in real environments? somebody using it?
Thanks.
--
Iñaki Baz Castillo
<ibc at aliax.net>
More information about the sr-dev
mailing list