<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>11 feb 2013 kl. 23:49 skrev Mark Michelson <<a href="mailto:mmichelson@digium.com">mmichelson@digium.com</a>>:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 02/11/2013 04:09 PM, Olle E.
Johansson wrote:<br>
</div>
<blockquote cite="mid:095CFFBE-20CE-4568-8B47-42F6C8F29793@edvina.net" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<br>
<div>
<div>11 feb 2013 kl. 22:08 skrev "Mark Michelson" <<a moz-do-not-send="true" href="mailto:reviewboard@asterisk.org">reviewboard@asterisk.org</a>>:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<pre style="font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); margin: 0px; padding: 0px; white-space: pre-wrap; word-wrap: break-word; ">This means that Asterisk may send multiple WWW-Authenticate headers out in an authentication challenge and can cope with multiple Authorization headers in requests.</pre>
</blockquote>
</div>
Hi!
<div>A small clarification:</div>
<div><br>
<div>An endpoint that wants to authenticate a request should
only send ONE www-authenticate in one response.</div>
<div><br>
</div>
<div>It can receive multiple proxy-authenticate and ONE
www-authenticate in a response, and thus needs to send
multiple proxyauth and one www auth in a request.</div>
<div><br>
</div>
<div>Now, if we have multiple auth methods as a server, like md5
and SHA256 I don't know what to do really... This needs to be
investigated.</div>
<div><br>
</div>
<div>Cheers</div>
<div>/O</div>
</div>
<br>
</blockquote>
<br>
<tt>RFC 2617 mentions the possibility to send multiple
WWW-Authenticate headers in an HTTP 401 response. It specifically
mentions the case where multiple authentication schemes are
offered (see section 4.6).<br>
<br>
Looking through RFC 3261, I can't see anything that explicitly
prohibits more than one WWW-Authenticate header being sent.
Looking in section 22.3 (which is about proxy to user
authentication), it says the following:<br>
</tt><br>
<tt>"When resubmitting its request in response to a 401
(Unauthorized) or 407 (Proxy Authentication Required) that
contains multiple challenges, a UAC MAY include an Authorization
value for each WWW- Authenticate value and a Proxy-Authorization
value for each Proxy- Authenticate value for which the UAC wishes
to supply a credential. As noted above, multiple credentials in a
request SHOULD be differentiated by the "realm" parameter.<br>
<br>
</tt><tt>It is possible for multiple challenges associated with the
same realm to appear in the same 401 (Unauthorized) or 407 (Proxy
Authentication Required). This can occur, for example, when
multiple proxies within the same administrative domain, which use
a common realm, are reached by a forking request. When it retries
a request, a UAC MAY therefore supply multiple credentials in
Authorization or Proxy-Authorization header fields with the same
"realm" parameter value. The same credentials SHOULD be used for
the same realm."<br>
<br>
It mentions an example of multiple proxies being reached by a
forking request, but it does not necessarily mean that that is the
only reason multiple challenges may be present in a response. And
in the previous paragraph, the mention of "for each
WWW-Authenticate value" means that there can be more than one
present.<br>
<br>
Is there a newer RFC that obsoletes or clarifies what RFC 3261
says here? Or have I misinterpreted things in some way?<br></tt></div></blockquote></div><br><div>Multiple proxy auth are always possible, that's right - even in the same realm. What I questioned was multiple WWW-auth.</div><div><br></div><div>I had missed the face that you can have multiple WWW-auth - but only where the authentication schemes are different. As long as you are using only MD5, you only have one . </div><div><br></div><div>There is a corner case where the proxy forks to multiple devices and both answers with a challenge, then you have two challenges in the same dialog if the proxy is transaction stateful. You should only issue ONE challenge (using one auth mech), but you may receive two. I've never seen that happening or seen that in a bug report. Wonder if we can force that scenario?</div><div><br></div><div>However, that quote answers my question about migrating to SHA256, even though I think there's a policy issue here - why would you want to offer a bad auth mech when you have a better. How should a client respond? I think there is work to be done here. Let's discuss that at SIPit.</div><div><br></div><div>/O</div><div><br></div></body></html>