[asterisk-dev] Multiple authorization header for a SIP message. More info to the bug report.

Olle E. Johansson oej at edvina.net
Mon Jan 18 01:27:21 CST 2010 

18 jan 2010 kl. 00.10 skrev Eduardo Ferro:

> Hi everybody
> 
> The bug 11245 (https://issues.asterisk.org/view.php?id=11245) (Asterisk unable to handle Multple Authorization Headers) was closed because the use of multiple  authorization headers for the same realm apparently was not valid (following the SIP RFCs)... so It seems that it was only a eMTA/ATA/Phone problem.
> Related with this problem, the support team of Arris International (at Europe) (the manufacturer of the device with this behavior...) sended the following info:
> 
> ----------------------------------------------------------------
> In RFC3261, Section 22.3 "Proxy-to-User Authentication", the spec states that:
> 
>   "It is possible for multiple challenges associated with the same realm
>    to appear in the same 401 (Unauthorized) or 407 (Proxy Authentication
>    Required).  This can occur, for example, when multiple proxies within
>    the same administrative domain, which use a common realm, are reached
>    by a forking request.  When it retries a request, a UAC MAY therefore
>    supply multiple credentials in Authorization or Proxy-Authorization
>    header fields with the same "realm" parameter value.  The same
>    credentials SHOULD be used for the same realm."
> 
> Although I doubt this has any advantage, it is not really forbidden. In fact, most commercial proxies have no problems with multiple auth headers.
> ----------------------------------------------------------------
> 
> We have no problem with this, because we have a flag at the devices config files to change this behavior, but I am personally interested to understand if this is really a Asterisk bug, and If it'll be interesting to change the asterisk sip messages authorization process, or it is not a problem at all ???
> 
> Any way, I think that It will be interesting to add this info to the bug, even if the bug is not reopened.
> 
> Any opinion related with this??? Is a bug??
> 
SIP can only have one 401 and one 407 from the same realm, but we should be able to handle one each as well as multiple 407's in the same message from different realms. We do not do that today in any version of Asterisk.

If it's a bug or a missing feature is another issue.

If you still have the training material from the Malaga class, there's a slide covering the multiple realm scenario where I usually say that this is not supported, that we only support one challenge per request.

Regards,
/O

More information about the asterisk-dev mailing list