[SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...

Olle E. Johansson oej at edvina.net
Wed Jun 17 08:28:53 CEST 2020


Aymeric,
Good to hear from you!

There’s been some discussion in the IETF which we haven’t resolved on how to handle this. I think you need to setup
different domains or realms each with one auth algorithm. If you offer two at the same time - what’s the point?
You are still wide open for downgrade attacks and haven’t accomplished much. 

I guess we will have to wait until the IETF resolves this issue, which propably applies to more protocols.
The big question is how to upgrade a user base to stronger authentication algorithms in HTTP Digest auth
without allowing downgrade attacks.

Cheers,
/O

> On 16 Jun 2020, at 20:42, Henning Westerholt <hw at skalatan.de> wrote:
> 
> Hello,
>  
> take a look to this parameter, you can switch between MD5 and SHA256, but only use once at a time:
>  
> https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm <https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm>
>  
> About planned features – I am not aware of major extensions in this module. Of course, any contribution is welcome.
>  
> Cheers,
>  
> Henning
>  
> -- 
> Henning Westerholt – https://skalatan.de/blog/ <https://skalatan.de/blog/>
> Kamailio services – https://gilawa.com <https://gilawa.com/>
>  
> From: sr-users <sr-users-bounces at lists.kamailio.org <mailto:sr-users-bounces at lists.kamailio.org>> On Behalf Of Aymeric Moizard
> Sent: Monday, June 15, 2020 10:31 PM
> To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>>
> Subject: [SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...
>  
> Hi All,
>  
> I'd like to improve my setup by switching to SHA-256. 
> However, as a first step, I would like to offer both MD5 and SHA-256
> in 2 different WWW-Authenticate header.
>  
> If I'm correct, this is not doable with the latest auth module?
> Is this a planned feature?
>  
> As an alternative, I would like to decide the algorithm in the script
> instead of a module parameter. It looks to me this is also not doable?
> Again, is this a planned feature?
>  
> Thanks to all,
>  
> Regards
> Aymeric
>  
> -- 
> Antisip - http://www.antisip.com <http://www.antisip.com/>_______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200617/96cba8e0/attachment.html>


More information about the sr-users mailing list