Hi, On Thu, 20 Apr 2006, Dimitri E. Prado wrote:
Even though RFC3489 mandates the use of "shared secrets" through TLS , quite a few STUN implementations do not use it. I am actually having a hard time
yeps, this is a bit tricky thing. Also, in the RFC3489bis, the TLS based mechanism will probably be deprecated.
Anyways, how it should work is that you have the STUNTAG_REQUIRE_INTEGRITY() tag (given to nua_create()) which controls whether failed shared-secret discovery is a critical error or not. That's how it should work. Additionally, the client can choose not to request msgint by not calling stun_obtain_shared_secret(), but I guess we don't have a nua-level switch to select whether this is done or not. :P
locating one that does use it. I noticed that the current sofia stun implementation does not work without shared keys, even though it will compile without openssl. In case someone compiles sofia without openssl , stun_handle_request_shared_secret() will be replaced by a dummy function and the loop with su_root_step that normally follows it, will run forever and
Ugh, this is a bug... Martti, can you take a look at this?
A) should the STUN implementation support servers withough shared secrets
The intention is to let the application developer decide (whether to a) try msgint/shared-secret, and b) whether it needs to be succesful or not).
-- under work: Sofia-SIP at http://sofia-sip.sf.net ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Sofia-sip-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/sofia-sip-devel
