[SR-Users] people complain Kamailio not handling stale nonce correctly

Juha Heinanen jh at tutpro.com
Tue Jul 2 19:30:10 CEST 2019

Juha Heinanen writes:

> > Moreover, the latest recommendations in security is to disclose as less as
> > possible what was not "correct", avoiding responses like "invalid user id"
> > or "invalid password".
> I agree with that, but in case of expired nonce, the sender already has
> somehow figured out what the username is.

I think that in order to be able send a request with stale nonce, the
attacker must already have been able to capture the previous
request/response.  If so, there is not much to loose by including the

-- Juha

More information about the sr-users mailing list