[asterisk-dev] Improper (?) use of SIP 403 to reject REGISTER for bad auth

Olle E. Johansson oej at edvina.net
Mon Apr 8 03:40:24 CDT 2013


8 apr 2013 kl. 10:33 skrev Nathan Anderson <nathana at fsr.com>:

> Hey Olle,
> 
> On Sunday, April 07, 2013 11:15 PM, Olle E. Johansson wrote:
> 
>> I think this is a very old bug that I implemented. The 403 should be
>> removed.
> 
> Thanks for the reply.  If not with a 403 (which I agree with you on), how should Asterisk respond to a REGISTER attempt with invalid credentials?  Should it repeat the 401 status code?  Although I have found people condemning the use of a 403 response in such a scenario, I haven't found a description of recommended "best industry practice" either.
Well, it goes all the way back to HTTP digest auth, so it is hard to track. There's very few guidelines here. At that point I think I just wanted to stop devices that was badly configured and found that sending 403 stopped the traffic. 

We should really just re-challenge forever and the client should back off when realizing that the password is not correct - and maybe retry after reconfiguration or after a set time period.

> 
> Also, does a JIRA already exist for this, or should I open a new one?

The hard part is what to do with released code. I think it's a serious bug that needs to be fixed, but we can't break the current way of working. I think we have to implement an option that by default is off (existing behaviour) but can be turned on. This hits a lot of users in the head, so it's quite urgent. I wasn't aware of it until a week ago, when a customer had a blackout like you.

I have no idea if a JIRA issue exist, so search for one or open a new one.

/O


More information about the asterisk-dev mailing list