[Kamailio-Users] nonce_reuse protection issues
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Jul 16 21:18:41 CEST 2009
Iñaki Baz Castillo wrote:
> 2009/7/16 Klaus Darilion <klaus.mailinglists at pernau.at>:
>
>> Iñaki Baz Castillo schrieb:
>>> However, to anounce "stale=true" in 401/407 response the
>>> credentials must be verified.
>> It would be sufficient to check if the nonce is reused, response calculation
>> could be done afterwards
>
> What I mean is that, response calculation should be done even if nonce
> is reused. If not, there is no way to send "stolen=true" in 401/407.
I do not understand this. If the nonce was already use, the proxy could
respond immediately with 407 and "stale=true" without checking the password
regards
klaus
More information about the sr-users
mailing list