[sr-dev] Some question about auth_identity module

Daniel-Constantin Mierla miconda at gmail.com
Wed Feb 23 22:46:55 CET 2011 


On 2/23/11 11:52 AM, Klaus Darilion wrote:
>
> Am 23.02.2011 11:26, schrieb Iñaki Baz Castillo:
>> Hi, by reading auth_identity module documentation I get some doubts:
>>
>>
>> - The doc examples use things like:
>>
>>      if (@identity) {
>>        t_reply("403", "Invalid Identity header");
>>        drop;
>>      }
>>
>> What is @identity ??
> @xxx is a 'select', see ser's select framework:
To add here:

- the selects can be accessed via pseudo-variables framework, like: 
$sel(xxx) instead of @xxx

Cheers,
Daniel

> http://sip-router.org/docbook/sip-router/branch/master/select_list/select_list.html
>
> http://sip-router.org/wiki/ref_manual/selects
>
> IMO the example looks a bit weird.
>
>> - When acting as verifier, the proxy must get the certificate via HTTP
>> from the URL given in the Identity-Info header of the request. The
>> module doesn't include TCP/HTTP timeouts so, what would happen if an
>> attacker set a non-responding domain in such header? would the
>> kamailio/ser process block when trying to retrieve the certificate
>> until the kernel returns error for the TCP establishment? (it could
>> take even minutes!!!).
> Try it. ;-)
>
>> - The doc says:
>>
>>      1.6.2.  auth_add_identity()
>>      [...]
>>      Note: this function needs the final outgoing message for
>> authorization, so no
>>      module may modify any digest string related headers (From, To,
>> Call-ID, CSeq,
>>      Date, Contact) and body after auth_add_identity()'s been called
>>
>> So we must be careful and don't use fix_contact(), force_rtpproxy() or
>> whatever function modifying From/To/Contact/body. This means that this
>> won't work in most of the cases (who doesn't deal with NATted
>> clients?). The only solution seems to be calling msg_apply_changes(),
>> but this doesn't seem to be very good. Am I wrong? So, is this module
>> really usable in real environments? somebody using it?
> You can do any modifications before auth_add_identity(), but not after
> auth_add_identity(). auth_add_identity() internally calls
> msg_apply_changes functionality.
>
> regards
> klaus
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

-- 
Daniel-Constantin Mierla
http://www.asipto.com

More information about the sr-dev mailing list