On 03/24/2011 06:42 AM, Attila Sipos wrote: > Currently, I can't see a way to specify digest method in the 401/407 > response. > Can you refer me? > > (All I can see is qop but that just describes over which data the hash > is performed: > "auth" - the bare minimum hash > "auth-int" - hash the message body too.) > > Regards > > Attila > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > Kevin P. Fleming > Sent: 24 March 2011 11:12 > Cc: [email protected] > Subject: Re: [Sip-implementors] about md5() > > On 03/24/2011 01:59 AM, Attila Sipos wrote: >>>> Is there a way to indicate that it can only do md5 in the hashing >> response? >> >> sorry that should be: >> Is there a way to indicate that it can only do md5 hashing in the >> response? > I believe that the UAS can insert multiple Proxy-Authentication headers > in its 401/407 response, as long as the header differ from each other > (realm, digest method, etc.). This would then allow the UAC to choose > which one it is capable of using and issuing a response to the > appropriate challenge. > (I accidentally sent this to just Attila the first time. Sorry about that)
What Kevin was suggesting was doing something like the following: SIP/2.0 401 Unauthorized <other headers snipped> WWW-Authenticate: Digest realm="example.com", qop="auth", nonce="12345", algorithm="MD5" WWW-Authenticate: Digest realm="example.com", qop="auth", nonce="67890", algorithm="SHA-1" This way the requester may respond to either of the challenges depending on what algorithms the requester knows. There are two issues here though: 1. There's no way for the sender of the 401 to indicate a preference for which algorithm to use. 2. I don't know of an HTTP digest authentication standard that defines "SHA-1" as an algorithm. One could assume that RFC 2617 could just be altered to change the "H" function in section 3.2.1 to be SHA-1 instead of MD5. A problem still exists that there is nothing to officially state what the algorithm string in such digest challenges should be. Should it be "SHA1" or "SHA-1" as I have used? Note that either would be RFC 2617 compliant since any token is allowed for the algorithm. You would have to be prepared to deal with potential interop issues. Mark Michelson _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
