[reSIProcate] Helper::advancedAuthenticateRequest() and old nonces
Byron Campen
bcampen at estacado.net
Tue Mar 11 11:57:21 CDT 2008
The code in Helper::advancedAuthenticateRequest() will return Failed
if it sees a nonce it doesn't recognize as its own. Unfortunately,
this is based on random bits generated at startup, meaning that if a
resip-based server is restarted, it will cease to recognize the
nonces it has issued, and will start 403ing every time one of them
comes in. This is less-than-desirable behavior. Would it be sane to
just treat this as an expired nonce, and issue a new challenge? This
wouldn't give a malicious endpoint anything it couldn't have gotten
already. Getting a 401 vs a 403 tells the endpoint nothing new about
the nonce it just used (in fact, it gives _less_ information), and it
could have just sent a request with no credentials if it wanted to
see what nonce we would generate.
Any thoughts?
Best regards,
Byron Campen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2423 bytes
Desc: not available
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20080311/7001b21f/attachment.bin>
More information about the resiprocate-devel
mailing list