<div>Hi everybody</div><div><br></div><div>The bug 11245 (<a href="https://issues.asterisk.org/view.php?id=11245">https://issues.asterisk.org/view.php?id=11245</a>) (Asterisk unable to handle Multple Authorization Headers) was closed because the use of multiple authorization headers for the same realm apparently was not valid (following the SIP RFCs)... so It seems that it was only a eMTA/ATA/Phone problem.</div>
<div>Related with this problem, the support team of Arris International (at Europe) (the manufacturer of the device with this behavior...) sended the following info:</div><div><br></div><div>----------------------------------------------------------------</div>
<div><div>In RFC3261, Section 22.3 "Proxy-to-User Authentication", the spec states that:</div><div><br></div><div> "It is possible for multiple challenges associated with the same realm</div><div> to appear in the same 401 (Unauthorized) or 407 (Proxy Authentication</div>
<div> Required). This can occur, for example, when multiple proxies within</div><div> the same administrative domain, which use a common realm, are reached</div><div> by a forking request. When it retries a request, a UAC MAY therefore</div>
<div> supply multiple credentials in Authorization or Proxy-Authorization</div><div> header fields with the same "realm" parameter value. The same</div><div> credentials SHOULD be used for the same realm."</div>
<div><br></div><div>Although I doubt this has any advantage, it is not really forbidden. In fact, most commercial proxies have no problems with multiple auth headers.</div><div>----------------------------------------------------------------</div>
<div><br></div><div>We have no problem with this, because we have a flag at the devices config files to change this behavior, but I am personally interested to understand if this is really a Asterisk bug, and If it'll be interesting to change the asterisk sip messages authorization process, or it is not a problem at all ???</div>
<div><br></div><div>Any way, I think that It will be interesting to add this info to the bug, even if the bug is not reopened.</div><div><br></div><div>Any opinion related with this??? Is a bug??</div><div><br></div><div>
Thanks in advance</div><div><br></div><div>Best regards...</div></div>-- <br>Hasta otra!!!<br> Eduardo Ferro Aldama<br> Alea Soluciones<br> <br> <a href="http://www.alea-soluciones.com">http://www.alea-soluciones.com</a> <br>
<a href="http://oss.alea-soluciones.com">http://oss.alea-soluciones.com</a><br> <a href="http://doc.alea-soluciones.com">http://doc.alea-soluciones.com</a><br><br>