RFC Violation - 401 Unauthorized not sending WWW-Authenticate to SUBSCRIBE messages #2640
Labels
bug
Something isn't working
Comments
|
I fixed this bug #2648 |
|
I can confirm that #2648 patches the mentioned issue |
|
Also worth noting that some Fanvil phones will immediately retry the same SUBSCRIBE and get the same response, thus launching their own DoS attack in response to the 401. We had over 50 million SUBSCRIBEs a day due to this bug - I think from around 10 phones. Fanvil issued firmware updates to stop it from happening. |
|
@themsley-voiceflex did you test the patch? |
|
@greenbea I tested patch and fix works as intended. SUBSCRIBE in dialog get authenticated properly 
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Previously reported in ticket # 1779 but not addressed. When FS sends a 401 Unauthorized to a SUBSCRIBE request, the WWW-Authenticate string is missing. This is required per RFC RFC 3261 section 22.2
To Reproduce
Simply have an endpoint send a SUBSCRIBE for BLF. When the endpoint re-sends a subscribe after the sofia nonce expired, freeswitch will respond with 401 unauthorized
Expected behavior
WWW-Authenticate string should be received in the SIP message
Package version or git hash
The text was updated successfully, but these errors were encountered: