[asterisk-dev] [Code Review] 2554: Pimp my SIP: alwaysauthreject

wdoekes reviewboard at asterisk.org
Tue Jun 4 10:27:12 CDT 2013



> On June 4, 2013, 7:55 a.m., wdoekes wrote:
> > team/group/pimp_my_sip/res/res_sip/sip_distributor.c, lines 209-217
> > <https://reviewboard.asterisk.org/r/2554/diff/6/?file=39035#file39035line209>
> >
> >     Aren't we doing the inverse of "rejecting" always. It sounds more like "alwaysauthchallenge" if we keep replying with a 401 instead of a 403.
> >     
> >     That would make the name confusing for all users except those used to the chan_astsip settings: always_pretend_bad_password=yes is perhaps a better name. Or, if we turn it around: disclose_account_rejection=no (default)
> 
> Joshua Colp wrote:
>     The code as written sends a 401 and then a 403 if the option is enabled, just like a normal rejection.

Ok. I was under the impression that we wouldn't do the alternating 401/403, but keep sending 401's ad infinitum.

http://lists.digium.com/pipermail/asterisk-dev/2013-April/059321.html (and rest of thread)

But it looks like the thread was stalled without any decisions being made.

Matt says:
> Good points. I agree with Olle as well - [fixing misuse of 403's] feels like this should be
> solved when Asterisk is registering as well as when it's a registrar.
> 
> Do you mind commenting on the issue with your rationale? When this bug
> gets worked, I'd like to make sure that it gets solved correctly.

And then there was silence.

If the switch were to be made, then the name "alwaysauthreject" would be wrong. The latter two names I suggested would still be valid.


- wdoekes


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/2554/#review8779
-----------------------------------------------------------


On June 3, 2013, 11:10 p.m., Kevin Harwell wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/2554/
> -----------------------------------------------------------
> 
> (Updated June 3, 2013, 11:10 p.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Bugs: ASTERISK-21433
>     https://issues.asterisk.org/jira/browse/ASTERISK-21433
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> Adds support for 'alwaysauthreject' to the new SIP channel driver.  When the 'alwaysauthreject' option is set to 'yes' (default) and no matching endpoint is found for the incoming request, after challenging, Asterisk will respond with a 401 Unauthorized regardless of the reason it rejects the request.
> 
> These changes also include a new global 'security' configuration section in res_sip.conf that now includes the 'alwaysauthreject' and ACL options.
> 
> 
> Diffs
> -----
> 
>   team/group/pimp_my_sip/include/asterisk/res_sip.h 390389 
>   team/group/pimp_my_sip/res/res_sip.c 390389 
>   team/group/pimp_my_sip/res/res_sip.exports.in 390389 
>   team/group/pimp_my_sip/res/res_sip/config_auth.c 390389 
>   team/group/pimp_my_sip/res/res_sip/config_security.c PRE-CREATION 
>   team/group/pimp_my_sip/res/res_sip/sip_configuration.c 390389 
>   team/group/pimp_my_sip/res/res_sip/sip_distributor.c 390389 
>   team/group/pimp_my_sip/res/res_sip_acl.c 390389 
>   team/group/pimp_my_sip/res/res_sip_authenticator_digest.c 390389 
>   team/group/pimp_my_sip/res/res_sip_outbound_authenticator_digest.c 390389 
> 
> Diff: https://reviewboard.asterisk.org/r/2554/diff/
> 
> 
> Testing
> -------
> 
> Attempted to connect to an unknown endpoint in Asterisk and observed that it responded appropriately and with a correct 401 when 'alwaysauthreject' was enabled.
> 
> 
> Thanks,
> 
> Kevin Harwell
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20130604/42290ae0/attachment-0001.htm>


More information about the asterisk-dev mailing list