On Aug 5, 2007, at 7:17 AM, Scott Lawrence wrote: > On Sun, 2007-08-05 at 12:57 +0200, Stephan Steiner wrote: >> Hi >> >> Is a non OK response using response code 200 a valid response? > > No.
I'm not sure I understood this part of Stephan's question - to make sure there wasn't any miscommunication - SIP/2.0 200 Failed is perfectly legal and means exactly the same thing as SIP/2.0 200 OK And as Scott points out below, you really don't want to say 200 when you don't mean it. RjS > >> I've >> experienced this when I try to register an UAC with SER and >> provide the >> wrong authentication credentials. >> I was under the impression 200 was used to signal a success, and >> iirc, if >> authentication fails on a webserver, the webserver keeps bouncing >> back 401s >> a few times until it terminates with a 403. >> >> Shouldn't the UAS also return a 403 in this case telling the UAC that >> there's no point in repeating the message? > > 403 really means "I accept your credentials, but based on that > identity, > you're not allowed to do what you asked to do". > > The security-purist response to any failed request by an > unauthenticated > user is to just ask for authentication - don't give away what part of > the request is causing the failure, because you're potentially giving > hints to an attacker. > > That having been said, it can be a problem for the server when phones > just keep retrying (and some do the retries obnoxiously fast) after > failures, so switching to a different status can be done to get the > phone to stop. A 200 response would be a very poor choice for this > (although it would stop the retries) because it make diagnosing the > system problem very difficult. > > -- > Scott Lawrence tel:+1-781-938-5306;ext=162 or > sip:[EMAIL PROTECTED] > sipXecs project coordinator - SIPfoundry http:// > www.sipfoundry.org/sipXecs > CTO, Voice Solutions - Bluesocket Inc. http://www.bluesocket.com/ > http://www.pingtel.com/ > > _______________________________________________ > Sip-implementors mailing list > Sip-implementors@lists.cs.columbia.edu > https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
