[SR-Users] people complain Kamailio not handling stale nonce correctly
Juha Heinanen
jh at tutpro.com
Wed Jul 3 07:30:48 CEST 2019
Daniel-Constantin Mierla writes:
> With the above considerations, to make it specs compliant, the code has to
> be extended that even in the case of expired nonce, the auth_db (and the
> other auth* variants) has to go further to compute the response and if
> there was a match, then add stale=true. As it is right now, if someone
> sends an expired nonce with an incorrect password, the stale=true is added,
> even it shouldn't as per specs.
I would consider that a serious bug that needs to be fixed. stale=true
should be set only in case authentication would otherwise succeed, but
nonce has expired.
After the fix, I don't see any reason why stale=true could not be set.
-- Juha
More information about the sr-users
mailing list