[Serusers] www_challange and proxy_challange
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Aug 24 09:31:47 CEST 2005
If the proxy is the endpoint of the request, it should use www_auth.
If the proxy is an intermediate hop, it should use proxy_auth.
Thus, usually you use:
- www_auth for REGISTER
- proxy_auth for INVITE, BYE, MESSAGE, ...
I'm little bit unsure how to challange PUBLISH and SUBSCRIBE as they
might be terminated in the proxy (pa module) or in the client (end2end
presence).
My personal opinion: authentication of out-of-dialog messages is a must.
authentication of in-dialog requests should be relaxed due to broken
clients.
regards
klaus
Chris St Denis wrote:
> Seems pointless to challenge an ACK.
>
> Anyway, with ACK and BYE are they supposed to get proxy or www challenge?
>
> -----Original Message-----
> From: Klaus Darilion [mailto:klaus.mailinglists at pernau.at]
> Sent: Tuesday, August 23, 2005 3:25 PM
> To: Chris St Denis
> Cc: 'Thomas Britis'; serusers at lists.iptel.org
> Subject: Re: [Serusers] www_challange and proxy_challange
>
>
>
> Chris St Denis wrote:
>
>
>>www_authorize/www_challenge should be used in register.
>>proxy_authorize/proxy_challenge in invite.
>>
>>I don't see any need for the www_authorize in invite and I don't think any
>>messages other than register and invite support authentication.
>
>
> All SIP messages except CANCEL can be challenged. But due to broken SIP
> clients it is sometimes better to not authenticate BYE and ACK.
>
> regards
> klaus
>
>>-----Original Message-----
>>From: serusers-bounces at iptel.org [mailto:serusers-bounces at lists.iptel.org] On
>>Behalf Of Thomas Britis
>>Sent: Tuesday, August 23, 2005 12:16 PM
>>To: serusers at lists.iptel.org
>>Subject: [Serusers] www_challange and proxy_challange
>>
>>Hi all,
>>
>> Is it sane to use:
>>
>>if (uri==myself) {
>> if (method=="REGISTER") {
>> if (!www_authorize("", "subscriber")) {
>> www_challenge("", "0");
>> break;
>> };
>> } else {
>> if (!www_authorize("", "subscriber")) {
>> if (!proxy_authorize("", "subscriber")) {
>> proxy_challenge("", "0");
>> break;
>> };
>> };
>> };
>>};
>>
>> Or anything here appears to be wrong ?
>>
>> Thank you.
>
>
>
More information about the sr-users
mailing list