[SR-Users] people complain Kamailio not handling stale nonce correctly

Juha Heinanen jh at tutpro.com
Wed Jul 3 07:30:48 CEST 2019

Daniel-Constantin Mierla writes:

> With the above considerations, to make it specs compliant, the code has to
> be extended that even in the case of expired nonce, the auth_db (and the
> other auth* variants) has to go further to compute the response and if
> there was a match, then add stale=true. As it is right now, if someone
> sends an expired nonce with an incorrect password, the stale=true is added,
> even it shouldn't as per specs.

I would consider that a serious bug that needs to be fixed.  stale=true
should be set only in case authentication would otherwise succeed, but
nonce has expired.

After the fix, I don't see any reason why stale=true could not be set.

-- Juha

More information about the sr-users mailing list