Dale,

I agree, the proxy doesn't prevent the phone from performing
correctly. But the proxy allows a locally terminated call which
requires authorization, with any incorrect authentication credentials
which it should not. This could let a malicious user to spoof calls as
a valid user.

Thanks,
Arjun

On Fri, Mar 26, 2010 at 5:57 PM, WORLEY, DALE R (DALE)
<[email protected]> wrote:
> ________________________________________
> From: [email protected] 
> [[email protected]] On Behalf Of Arjun Sambamoorthy 
> [[email protected]]
>
> When I make a call from a valid user registered with sipX to another
> valid registered sipX user. I get a 407 Proxy authenticate challenge.
> sipX accepts my MD5 response calculated with "any" (unknown/non
> existing) user name and password. sipX should actually reject my
> response with another 407 until I authenticate with a correct and
> valid nuser name and password.
> ________________________________________
>
> Although it does not seem to me that this behavior on the part of the proxy 
> will prevent a phone that possesses correct credentials from performing 
> correctly.  If the call is routed toward a destination that requires 
> authorization, the proxy will check that the presented authentication 
> credentials are correct for the claimed user name, and that the claimed user 
> name has the appropriate authorization.
>
> Dale
>
_______________________________________________
sipx-users mailing list [email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
sipXecs IP PBX -- http://www.sipfoundry.org/

Reply via email to