[asterisk-dev] [Code Review] SIP authentication support

Mark Michelson mmichelson at digium.com
Wed Feb 13 09:14:53 CST 2013

On 02/13/2013 02:07 AM, Olle E. Johansson wrote:
> However, that quote answers my question about migrating to SHA256, 
> even though I think there's a policy issue here - why would you want 
> to offer a bad auth mech when you have a better. How should a client 
> respond? I think there is work to be done here. Let's discuss that at 
> SIPit.
> /O

I think the idea behind offering multiple schemes is that a server may 
support both MD5 and SHA256, but the client that is trying to 
authenticate may only support MD5. Even though SHA256 is the better 
scheme, the server also accepts MD5 for compatibility purposes.

If a client is presented with multiple schemes that it knows how to use, 
then my thought is that the client should determine which scheme is 
"strongest" and respond to that challenge only. We can discuss it more 
at SIPit for sure. We just need to be sure to document what we come up 
with on the wiki.

Mark Michelson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20130213/a549481f/attachment.htm>

More information about the asterisk-dev mailing list