Bug#692960: federated SIP mode not working, third-party peers receive DIGEST challenge
Daniel Pocock
daniel at pocock.com.au
Sun Nov 11 13:04:24 UTC 2012
Package: repro
Version: 1.8.2-1+b1
Severity: serious
This bug is marked as serious because
a) it concerns a feature that has been very widely promoted for the 1.8
release, it has also been widely promoted upstream that wheezy will have
repro v1.8
b) because the bug causes the proxy to refuse SIP messages from external
peers who present a valid client cert, with no workaround possible
Note: this doesn't impact peers explicitly listed in the ACL. However,
the ACL can't know about arbitrary peers making ad-hoc connections in a
fully federated environment.
The bug only applies to the repro binary package and not other packages
built from the resiprocate source package.
Specific details of the bug:
- when local users have to authenticate themselves using the DIGEST
method (instead of certificates), repro is (wrongly) expecting ALL peers
to authenticate with DIGEST
- it is quite common to have local users (e.g. IP phones) authenticating
using the DIGEST method
- however, repro 1.8.2 is also sending a DIGEST challenge back to
external third-party proxies as well as local users
- usually, third-party proxies should only have to pass the certificate
validation test, as they will not have DIGEST credentials on the local proxy
- all of the above permutations are configurable (e.g. certificate or
DIGEST modes can both be turned on and off independently in repro.config
and known peers can be pre-defined in the ACL)
The bug is fixed in 1.8.5 and beyond:
http://svn.resiprocate.org/viewsvn/resiprocate/branches/resiprocate-1.8/resip/dum/ServerAuthManager.cxx?r1=9854&r2=9855&diff_format=l
and an unblock request has been raised for 1.8.5 to enter wheezy:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681387
More information about the Pkg-voip-maintainers
mailing list