Hello Iñaki, An mer., janv 20, 2010, Iñaki Baz Castillo schrieb: >El Miércoles, 20 de Enero de 2010, [email protected] escribió: >> An mer., janv 20, 2010, Iñaki Baz Castillo schrieb: >>>El Miércoles, 20 de Enero de 2010, [email protected] escribió: >>>> I know that strategies differ according to security needs but... >>>> >>>> Which SIP messages are typically challenged for authentication? >>>> >>>In the case of dialogs (INVITE, SUBSCRIBE) it's typically just >>>required to chanllenge the initial request forming such dialog >>>(initial INVITE, initial SUBSCRIBE). The rest of requests in-dialog >>>contain to_tag so usually it's not >>>needed to authenticate them. >> >> Good point. I think I'll change the route script to only challange >> initial requests. I guess a simple >> >> if (!has_totag()) { >> if (!aaa_proxy_authorize("")) { >> proxy_challenge("", "1"); >> exit; >> } >> if (!db_check_from()) { >> xlog("L_WARN", "$rm: Cheating attempt\n"); >> send_reply("403", "Forbidden"); >> exit; >> } >> consume_credentials(); >> # caller authenticated >> } >> >> ...near the top of the route script would do the job nicely. Is >> this what you mean in your advice? > >Yes, but take into account that REGISTER doesn't use >proxy_authorize but www_authorize. > Thanks for the reminder and for the generally good advice.
Regards, Brian _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
