[SR-Users] people complain Kamailio not handling stale nonce correctly

Wed Jul 3 08:56:56 CEST 2019

I do not have anything against being implemented as per specs, with an
option (a new flag) to auth functions (likely it needs to be done in
several modules that do digest-auth with various backends). I would also
make sense to see what the specs say about an UA to reuse a nonce, if it
something recommended or just some UAs do it for convenience. When the
nonce is returned first time, unlikely that it will expire till the first
usage, expiration happen when the UA uses the nonce from previous
registration, that happened probably minutes ago. Is this something covered
by specs?

Anyhow, setting this option in the default config file is something I don't
consider really good from security point of view. Hitting the database can
be a big performance impact. Adding additional rules to overcome the
potential DoS exposure, such as fail2ban, of course are good, but it also
does not belong to the default config file. There are many options that the
auth modules have, including one-time-nonce, different auth qop, etc. I
think all of these can be added to the advanced config, now located in
misc/examples/pkg/kamailio-oob.cfg.

I prefer to keep kamailio.cfg as a complete-enough but still basic starting
point to build the config file. It will be more negative feedback if the
default config has poor performances and exposes to more security risks
than someone reading the docs and enabling various auth options to tune it
for specific needs.

Actually, so far nobody complained about lack of stale=true, I have seen
some UAs that reused nonce between registrations and typically they don't
ask for a new password if they reused the nonce, only when they got a fresh
one and the auth failed... but could be specific implementation details,
specs should be checked about the reuse of nonce to see what behaviour
should be there.

Cheers,
Daniel

On Wed, Jul 3, 2019 at 7:39 AM Juha Heinanen <jh at tutpro.com> wrote:

> Daniel-Constantin Mierla writes:
>
> > If I haven't missed something, Juha said it is not good to ask the user
> > again for introducing the password in the (soft)phone app. The hashed
> > response (with nonce, realm, password) has to be sent always over the
> > network, no matter the stale parameter value. So it is just the
> > inconvenience of the person to type the password, it doesn't impact at
> all
> > what is sent over the network.
>
> I tried to say that if UA send REGISTER request that includes
> Authorization header and gets back 401 WWW-Authenticate header without
> stale=true, the UA MUST ask the user to enter authentication
> username/password again, even when there is nothing wrong with them.
>
> In practice that is in many cases impossible, e.g., when the UA is
> in user's pocket.  That is why it important that the server includes the
> flag in 401 response.
>
> -- Juha
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>

-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20190703/b2ff71e0/attachment.html>