Bug#697341: repro fails to consume Proxy-Authorization header, interop issue with FreeSWITCH
Daniel Pocock
daniel at pocock.com.au
Fri Jan 4 08:11:09 UTC 2013
Package: repro
Version: 1.8.5-1
Severity: important
According to the SIP RFCs, SIP DIGEST authentication is meant to operate
much like HTTP DIGEST authentication.
Although not specified explicitly in the SIP RFCs, this means that like
HTTP proxies, SIP proxies should remove any Proxy-Authorization headers
that relate to their own realm (after validating the credentials of course)
repro is leaving Proxy-Authorization headers intact when relaying SIP
messages to other proxies or their final destination.
This is bad for interoperability and security.
- interoperability: FreeSWITCH fails to accept such packets completed
(observed during late 2012 in a conf call with the FreeSWITCH team)
- security: although the password is not revealed (due to the DIGEST
algorithm), the username for the realm is propagated downstream. This
may not be desirable.
Upstream has fixed this in v1.8.6
More information about the Pkg-voip-maintainers
mailing list