Hi,
During recent tests, I find out a strange behavior during the
authentication process using the Digest algorithm.
Analyzing the problem from a high level, this is the behavior:
1. A REGISTER packet without any authentication header is sent to
the server.
2. The server replies with a '401 Unauthorized' with an
authentication header which includes a challenge (nonce).
3. The client issues a new REGISTER request with the necessary
authentication header, including the answer to the challenge.
4. As the response is incorrect (because the password is incorrect),
the server replies again with a '401 Unauthorized', but includes a new
challenge and stale = false.
5. When the client receives a new challenge, it automatically
restarts a new authentication process, by sending a new REGISTER request
with the response to to challenge #2.
6. As before, the server answer with new challenge.
7. And the client issues a new response.
8. Steps 6 and 7 are repeated endless until the server locks the
account and answer with a '403 User Not Authenticated'.
Both behaviours (client and server side) seem to be correct and
compliant with RFC 3261 (SIP: Session Initiation Protocol) and RFC 2617
(HTTP Authentication: Basic and Digest Access Authentication).
Am I missing anything?
Best regards,
Nuno Costa
--
=========================================
Nuno Costa
Senior Engineer
WIT Software S.A.
Coimbra (Portugal), San Jose (California)
Phone : +351 239 801030
Mobile: +351 91 9821825
Email : nuno.costa at wit-software.com
Web: http://www.wit-software.com
=========================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pjsip.org/pipermail/pjsip_lists.pjsip.org/attachments/20090514/993ab493/attachment.html>
