Your message dated Tue, 20 Nov 2012 22:34:37 -0500
with message-id
<CANTw=mpasgvspu27tecc6suhze1lkhne-emunha1pjcdylj...@mail.gmail.com>
and subject line Issues fixed in 1.8.5
has caused the Debian Bug report #692960,
regarding federated SIP mode not working, third-party peers receive DIGEST
challenge
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
692960: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692960
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: repro
Version: 1.8.2-1+b1
Severity: serious
This bug is marked as serious because
a) it concerns a feature that has been very widely promoted for the 1.8
release, it has also been widely promoted upstream that wheezy will have
repro v1.8
b) because the bug causes the proxy to refuse SIP messages from external
peers who present a valid client cert, with no workaround possible
Note: this doesn't impact peers explicitly listed in the ACL. However,
the ACL can't know about arbitrary peers making ad-hoc connections in a
fully federated environment.
The bug only applies to the repro binary package and not other packages
built from the resiprocate source package.
Specific details of the bug:
- when local users have to authenticate themselves using the DIGEST
method (instead of certificates), repro is (wrongly) expecting ALL peers
to authenticate with DIGEST
- it is quite common to have local users (e.g. IP phones) authenticating
using the DIGEST method
- however, repro 1.8.2 is also sending a DIGEST challenge back to
external third-party proxies as well as local users
- usually, third-party proxies should only have to pass the certificate
validation test, as they will not have DIGEST credentials on the local proxy
- all of the above permutations are configurable (e.g. certificate or
DIGEST modes can both be turned on and off independently in repro.config
and known peers can be pre-defined in the ACL)
The bug is fixed in 1.8.5 and beyond:
http://svn.resiprocate.org/viewsvn/resiprocate/branches/resiprocate-1.8/resip/dum/ServerAuthManager.cxx?r1=9854&r2=9855&diff_format=l
and an unblock request has been raised for 1.8.5 to enter wheezy:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681387
--- End Message ---
--- Begin Message ---
version: 1.8.5-1
Marking these issues as fixed in the above version.
Best wishes,
Mike
--- End Message ---
