Improve authentication when the server is "ugly"

[ibc]

(Reported by Fabian Santana in jssip maillist).

Real use case:

• JsSIP sends un-REGISTER (no credentials yet).
• Asterisk replies 401 with a theorically new or still valid nonce "7b522aca".
• JsSIP re-sends un-REGISTER with proper credentials.
• Asterisk checks the credentials "response" field. It's valid but... Asterisk decides that the used nonce "7b522aca" is now invalid or has been disabled (WTF !). This is known due the "stale=true" field.
• JsSIP then does not attempt to send a new un-REGISTER again.

The authentication code in JsSIP could be improved to handle strange (but existing...) scenarios like this. Perhaps try 2 times sending credentials instead of just one? That would make JsSIP more reliable in "non-reliable" scenarios.

NOTE: No user API change involved, so good for 0.2.2.

[jmillan]

This will be fixed with the 'stale' parameter handling. Issue #18

[ibc]

Humm, I don't think this should depend on #18 (or maybe... but not sure). Regardless JsSIP reuses nonces or not, it could occur this case:

• JsSIP sends un-REGISTER with credentials by reusing a previous nonce value.
• 401 with "stale=true" since such a nonce has already been invalidated by the registrar. So this 401 contains a new nonce value.
• JsSIP re-sends the un-REGISTER with new credentials according to the new nonce value.
• The registrar is stupid and replies 401 again with "stale=true".

This CAN occur when using Asterisk, so a better improvement for this would be trying un-registration one more time.

[jmillan]

@ibc Yes. I will try the stale stuff first anyway.

BTW this could be a known Asterisk bug.

[jmillan]

Credential re-use has been implemented in 85ca354 5ed612 and 96b9f6c

The scenario described above should result in a registration failure IMHO. If JsSIP re-generates the credentials with a new response according to a new nonce value and it receives a 401 again, that means that the credentials are invalid or the server buggy, but I don't think re-sending the REGISTER would solve the problem anyway.

[ibc]

Please, recheck my issue description. The case exposed there is real and ugly, but still valid. And I insist: this has nothing to do with credentials reuse.

[jmillan]

I mean, if the server responds 401 and an un-REGISTER is re-sent with re-calculated credendials, I think I should give the request as failed if receiving a 401 again. Don`t you?

[ibc]

If the second 401 has not "stale=true" then I agree at 100%. But in the case I describe (and that is a real case with Asterisk) the second 401 has "stale=true" and then I consider JsSIP should give it another chance for authentication with the new nonce.

It's ugly that Asterisk replies 401 and then another 401 with "stale=true" (it means "I've sent you this nonce for authenticating against me but then I invalidate it when you send me the Digest response"). Anyhow we should be ready for that.

[jmillan]

JsSIP does already manage the defined situation. It is Asterisk compilant in that way.