See Inline. Thanks, Neel.
> -----Original Message----- > From: [email protected] [mailto:sip- > [email protected]] On Behalf Of Olle E. > Johansson > Sent: Friday, December 16, 2011 6:35 AM > To: [email protected] sip- > [email protected] > Subject: [Sip-implementors] Security issue in SIPconnect 1.1? > > " > 15.4.1.3 > Unknown SIP-PBX Identity > The SP-SSE MUST issue a 404 Not Found response to a REGISTER request, > if the Registration AOR of the SIP-PBX is not found in its database. An > SIP-PBX receiving such a response to a REGISTER request MUST consider > the Registration attempt to have failed, and notify the SIP-PBX > administrator if possible through some means. The SIP-PBX SHOULD follow > the backoff procedures defined previously in Section 15.4.1.1. > " > > [Neel] Ideally, if the SP_SSE supports authentication it should send 401 Unauthorized first to REGISTER. Otherwise, it should send 404 Not Found. > This means that it will be easy to find accounts in a SIP connect > compliant service. If an account exists, I'll get an authentication > response. Otherwise I will get a 404. This is something we fixed in > Asterisk a long time ago in order to not make it easy to find existing > accounts. > > /O > _______________________________________________ > Sip-implementors mailing list > [email protected] > https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
