[reSIProcate] Helper::advancedAuthenticateRequest() and old nonces

Byron Campen bcampen at estacado.net
Wed Mar 12 09:38:08 CDT 2008 

	This is certainly useful. Do you have an opinion on the 403 vs. 401  
issue though? It seems that sending a 403 buys us absolutely nothing,  
and hurts interop besides. I see no reason to continue doing it. I  
could maybe see sending a 403 if someone sends us credentials that  
are malformed, on the assumption that the endpoint is broken and we  
should just tell it to shut up. (This brings up the question of how  
we deal with endpoints that don't know when to quit sending us bad  
credentials.)

Best regards,
Byron Campen

> Hi
>
> I believe that code below will allow any server to recognize nonces
> between restarts.
>
> BasicNonceHelper* myNonceHelper = new BasicNonceHelper();
> myNonceHelper->setPrivateKey( Data( "yourServerPrivateKey" ) );
> Helper::setNonceHelper( myNonceHelper );
>
>
> With best regards
> Alexander Altshuler
> http://xeepe.com
>
> -----Original Message-----
> From: resiprocate-devel-bounces at resiprocate.org
> [mailto:resiprocate-devel-bounces at resiprocate.org] On Behalf Of Byron
> Campen
> Sent: Tuesday, March 11, 2008 7:57 PM
> To: resiprocate-devel
> Subject: [reSIProcate] Helper::advancedAuthenticateRequest() and old
> nonces
>
> 	The code in Helper::advancedAuthenticateRequest() will return
> Failed
> if it sees a nonce it doesn't recognize as its own. Unfortunately,
> this is based on random bits generated at startup, meaning that if a
> resip-based server is restarted, it will cease to recognize the
> nonces it has issued, and will start 403ing every time one of them
> comes in. This is less-than-desirable behavior. Would it be sane to
> just treat this as an expired nonce, and issue a new challenge? This
> wouldn't give a malicious endpoint anything it couldn't have gotten
> already. Getting a 401 vs a 403 tells the endpoint nothing new about
> the nonce it just used (in fact, it gives _less_ information), and it
> could have just sent a request with no credentials if it wanted to
> see what nonce we would generate.
>
> 	Any thoughts?
>
> Best regards,
> Byron Campen
>
>
>
> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel at resiprocate.org
> https://list.resiprocate.org/mailman/listinfo/resiprocate-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2423 bytes
Desc: not available
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20080312/fbd3bcda/attachment.bin>

More information about the resiprocate-devel mailing list