< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index Next in Thread >

Re: [reSIProcate] Helper::advancedAuthenticateRequest() and old nonces


This is certainly useful. Do you have an opinion on the 403 vs. 401 issue though? It seems that sending a 403 buys us absolutely nothing, and hurts interop besides. I see no reason to continue doing it. I could maybe see sending a 403 if someone sends us credentials that are malformed, on the assumption that the endpoint is broken and we should just tell it to shut up. (This brings up the question of how we deal with endpoints that don't know when to quit sending us bad credentials.)

Best regards,
Byron Campen

Hi

I believe that code below will allow any server to recognize nonces
between restarts.

BasicNonceHelper* myNonceHelper = new BasicNonceHelper();
myNonceHelper->setPrivateKey( Data( "yourServerPrivateKey" ) );
Helper::setNonceHelper( myNonceHelper );


With best regards
Alexander Altshuler
http://xeepe.com

-----Original Message-----
From: resiprocate-devel-bounces@xxxxxxxxxxxxxxx
[mailto:resiprocate-devel-bounces@xxxxxxxxxxxxxxx] On Behalf Of Byron
Campen
Sent: Tuesday, March 11, 2008 7:57 PM
To: resiprocate-devel
Subject: [reSIProcate] Helper::advancedAuthenticateRequest() and old
nonces

        The code in Helper::advancedAuthenticateRequest() will return
Failed
if it sees a nonce it doesn't recognize as its own. Unfortunately,
this is based on random bits generated at startup, meaning that if a
resip-based server is restarted, it will cease to recognize the
nonces it has issued, and will start 403ing every time one of them
comes in. This is less-than-desirable behavior. Would it be sane to
just treat this as an expired nonce, and issue a new challenge? This
wouldn't give a malicious endpoint anything it couldn't have gotten
already. Getting a 401 vs a 403 tells the endpoint nothing new about
the nonce it just used (in fact, it gives _less_ information), and it
could have just sent a request with no credentials if it wanted to
see what nonce we would generate.

        Any thoughts?

Best regards,
Byron Campen



_______________________________________________
resiprocate-devel mailing list
resiprocate-devel@xxxxxxxxxxxxxxx
https://list.resiprocate.org/mailman/listinfo/resiprocate-devel

Attachment: smime.p7s
Description: S/MIME cryptographic signature