[Kamailio-Users] nonce_reuse protection issues
Iñaki Baz Castillo
ibc at aliax.net
Thu Jul 16 22:16:40 CEST 2009
El Jueves, 16 de Julio de 2009, Klaus Darilion escribió:
> Iñaki Baz Castillo wrote:
> > 2009/7/16 Klaus Darilion <klaus.mailinglists at pernau.at>:
> >> Iñaki Baz Castillo schrieb:
> >>> However, to anounce "stale=true" in 401/407 response the
> >>> credentials must be verified.
> >>
> >> It would be sufficient to check if the nonce is reused, response
> >> calculation could be done afterwards
> >
> > What I mean is that, response calculation should be done even if nonce
> > is reused. If not, there is no way to send "stolen=true" in 401/407.
>
> I do not understand this. If the nonce was already use, the proxy could
> respond immediately with 407 and "stale=true" without checking the password
Hummm, yes it could... good point :)
--
Iñaki Baz Castillo <ibc at aliax.net>
More information about the Users
mailing list