My problem is that the UA doesn't seem to be able to handle to long nonces so it takes as many chars as it can handle and uses that.
In the nonce that our proxy sends, there are a timestamp (according to Digest RFC) to be able to validate if the nonce is supposed to be valid or not. When the UA removes characters from the nonce there is no way for the proxy to know if it should accept it or not (it cant read the timestamp and validate it). If it sends a new 407 it will get the same response again (with a short nonce) and it will keep doing so. To prevent this (the challenge will always fail unless the proxy creates a shorter nonce) what can it send instead? I guess you could always send 400 Bad Request but is there a more specified response to send? Regards, Andreas -----Original Message----- From: Scott Lawrence [mailto:[EMAIL PROTECTED] Sent: den 16 oktober 2003 16:05 To: Andreas Bystr�m Cc: Sip Implemators Subject: Re: [Sip-implementors] Wrong nonce in challenge response Andreas Bystr�m <[EMAIL PROTECTED]> writes: > What to do if the proxy receives a different nonce that the one that > it sent in a challenge? Whould it just send a new 407 or should it > send something else? > Example > Proxy A receives an Invite. A sends 407 back to UA with a challenge > containing the nonce="12345". When A then receives the Invite again, there > is a response to the challenge. But in that response the nonce is "123". > Should A just send a new 407 ? It's up to the server to decide whether or not the nonce it receives is acceptable to it. The server may use any criteria it likes for that decision. It can return a new challenge (407 for proxy authentication, or 401 for server authentication), or decide to accept the nonce as valid. If it doesn't like the nonce, it should return the 40[17]. If the nonce might once have been valid (such as one whose nc value is outside the range acceptable to the server, or one that is too old), the server has the option of computing whether or not the credentials used to construct the response value with that nonce were good, and if so return 'stale=true' to indicate that a retry using the same credentials and the new nonce should succeed, but it is not required to do that check. -- Scott Lawrence Pingtel Corp. _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
