Daniel-Constantin Mierla writes: > With the above considerations, to make it specs compliant, the code has to > be extended that even in the case of expired nonce, the auth_db (and the > other auth* variants) has to go further to compute the response and if > there was a match, then add stale=true. As it is right now, if someone > sends an expired nonce with an incorrect password, the stale=true is added, > even it shouldn't as per specs.
I would consider that a serious bug that needs to be fixed. stale=true should be set only in case authentication would otherwise succeed, but nonce has expired. After the fix, I don't see any reason why stale=true could not be set. -- Juha _______________________________________________ Kamailio (SER) - Users Mailing List [email protected] https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
