[asterisk-dev] Summary: SIP, NAT, security concerns, oh my!
Olle E. Johansson
oej at edvina.net
Wed Nov 9 14:58:07 CST 2011
9 nov 2011 kl. 21:05 skrev Bruce B:
> I just did an X-Lite register to Asterisk extension and first SIP invite included extension but then Asterisk rejected and asked for authentication to which X-Lite provided password?!
>
> So, why is there the need to invite without providing authentication in the first place? Why is there a two step to authentication? This really shows a shortcoming of SIP v2.0 RFC when it comes to this type of security implementation.
Bruce,
I suggest you do some reading on challenge-response authentication and HTTP Digest MD5 auth.
To succeed with challenge-response, you need a challenge to respond to. You get that in the first response, the 401 or 407.
/O
More information about the asterisk-dev
mailing list