> On 17 Jun 2020, at 17:22, Maxim Sobolev <sobo...@sippysoft.com> wrote: > > Whoever works on this needs to consider two things I think: > > - ability to select algorithms when challenging UAC (MD5-only, SHA256-only, > SHA-512/256-only, all permutations). The RFC allows UAS to include multiple > HFs(*). MD5-only should probably be the default. I suspect there might be a > significantly non-trivial population of UACs that would get confused > receiving multiple digests. Plus enabling challenges for all protocols would > expand the size of 401s messages. Agree, multiple challenges will break stuff. I’m not sure that implementations actually bother with parsing the algorithm parameter. > > - ability to accept response in either of supported hashing methods or any > combination of thereof. The reasonable default here is probably MD5-only for > now, again to prevent the possibility of foul play when we only request MD5, > while for some reason getting say SHA-256 back. If you challenge with SHA512 only, you should not accept anything else.
> > -Max > *) Example: > 401 Unauthorized > [..] > WWW-Authenticate: Digest > realm="http-a...@example.org <mailto:http-a...@example.org>", > qop="auth, auth-int", > algorithm=SHA-256, > nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v", > opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS" > WWW-Authenticate: Digest > realm="http-a...@example.org <mailto:http-a...@example.org>", > qop="auth, auth-int", > algorithm=MD5, > nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v", > opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS” So the question is how to migrate. I don’t believe migrating within the same UA base will work smootlhy ever. If you have a provisioning system it is easy setting up a SIP subdomain, let’s say “strong.example.com <http://strong.example.com/>” and use that either for OB proxy or SIP domain, dependinig on your setup. By doing that, you can have a zone witih devices/clients that can handle stronger auth and *only* use that. For the old ones, keep them running until you reasonable can upgrade them. Of course you can do this witih realms too, but that requires a strong realm implementation in the UA’s, something that SNOM had in the beginning but removed (maybe it was too hard to explain). Cheers, /O > > > On Tue., Jun. 16, 2020, 12:13 p.m. Aymeric Moizard, <amoiz...@gmail.com > <mailto:amoiz...@gmail.com>> wrote: > > Le mar. 16 juin 2020 à 20:42, Henning Westerholt <h...@skalatan.de > <mailto:h...@skalatan.de>> a écrit : > Hello, > > > > take a look to this parameter, you can switch between MD5 and SHA256, but > only use once at a time: > > > > https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm > > <https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm> > > > About planned features – I am not aware of major extensions in this module. > Of course, any contribution is welcome. > > > Thanks for your answer. > If I have some time, I might try to make a PR on being able to select the > algorithm at runtime. > > Regards, > Aymeric > > > > Cheers, > > > > Henning > > > > -- > > Henning Westerholt – https://skalatan.de/blog/ <https://skalatan.de/blog/> > Kamailio services – https://gilawa.com <https://gilawa.com/> > > > From: sr-users <sr-users-boun...@lists.kamailio.org > <mailto:sr-users-boun...@lists.kamailio.org>> On Behalf Of Aymeric Moizard > Sent: Monday, June 15, 2020 10:31 PM > To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org > <mailto:sr-users@lists.kamailio.org>> > Subject: [SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256... > > > > Hi All, > > > > I'd like to improve my setup by switching to SHA-256. > > However, as a first step, I would like to offer both MD5 and SHA-256 > > in 2 different WWW-Authenticate header. > > > > If I'm correct, this is not doable with the latest auth module? > > Is this a planned feature? > > > > As an alternative, I would like to decide the algorithm in the script > > instead of a module parameter. It looks to me this is also not doable? > > Again, is this a planned feature? > > > > Thanks to all, > > > > Regards > > Aymeric > > > > -- > > Antisip - http://www.antisip.com <http://www.antisip.com/> > > -- > Antisip - http://www.antisip.com <http://www.antisip.com/> > _______________________________________________ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users