First, I've forwarded this to grand stream directly but I have no idea how good their support is, I want to see if anyone can confirm my diagnostics and tell me if other grand stream phones have a different authentication flow for phonebook.xml
If grand stream does not fix their firmware fairly quickly, how hard is it to enable basic http auth and how much of a security issue is it, if using https?
example log files of the 4 tests. (I have substituted IP addresses for 1.2.3.4 and username for web_auth_user in logs as well as the MAC address for macaddress)
log1 cfg provisioning.alwaysAuthenticateBeforeChallenge off (works)
log 2 cfg provisioning.alwaysAuthenticateBeforeChallenge on (does not work)
log 3 phonebook provision test from laptop (works)
log 4 phonebook provision from phone (does not work, always authenticate option not possible to disable)
in log 2 and log 4, you'll see two 401 unauthorized for two different config filename possibilities. You'll also see the 3rd column in both is web_auth_user. This is the username set in "phonebook.download.username" My understanding is this 3rd column is the basic http auth username.
In log 1 and 3, both requests begin with 401, get resent using digest authentication and on the second line end with successful 200 status. neither line has a username in column 3. my understanding is this indicates http digest authentication.
I don't believe I'm missing any settings available to end users. I am not sure if basic http auth is possible or advised. however, I know that it's not possible to download the phonebook.xml on fusionpbx with the wp825 using http auth enabled out of the box.
If grand stream does not fix their firmware fairly quickly, how hard is it to enable basic http auth and how much of a security issue is it, if using https?
example log files of the 4 tests. (I have substituted IP addresses for 1.2.3.4 and username for web_auth_user in logs as well as the MAC address for macaddress)
log1 cfg provisioning.alwaysAuthenticateBeforeChallenge off (works)
1.2.3.4 - - [03/Jun/2024:21:33:09 +0000] "GET /app/provision/cfgmacaddress.xml HTTP/1.1" 401 23 "-" "Grandstream Model HW WP825 SW 1.0.11.60 DevId macaddress"
1.2.3.4 - - [03/Jun/2024:21:33:10 +0000] "GET /app/provision/cfgmacaddress HTTP/1.1" 200 63958 "-" "Grandstream Model HW WP825 SW 1.0.11.60 DevId macaddress"
log 2 cfg provisioning.alwaysAuthenticateBeforeChallenge on (does not work)
1.2.3.4 - web_auth_user [03/Jun/2024:21:39:16 +0000] "GET /app/provision/cfgmacaddress.xml HTTP/1.1" 401 23 "-" "Grandstream Model HW WP825 SW 1.0.11.60 DevId macaddress"
1.2.3.4 - web_auth_user [03/Jun/2024:21:39:16 +0000] "GET /app/provision/cfgmacaddress HTTP/1.1" 401 23 "-" "Grandstream Model HW WP825 SW 1.0.11.60 DevId macaddress"
log 3 phonebook provision test from laptop (works)
1.2.3.4 - - [03/Jun/2024:21:32:26 +0000] "GET /app/provision/macaddress/phonebook.xml HTTP/1.1" 401 23 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15"
1.2.3.4 - - [03/Jun/2024:21:32:26 +0000] "GET /app/provision/macaddress/phonebook.xml HTTP/1.1" 200 2715 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15"
log 4 phonebook provision from phone (does not work, always authenticate option not possible to disable)
1.2.3.4 - web_auth_user [03/Jun/2024:21:42:07 +0000] "GET /app/provision/macaddress/phonebook.xml HTTP/1.1" 401 23 "-" "Grandstream Model HW WP825 SW 1.0.11.60 DevId macaddress"
1.2.3.4 - web_auth_user [03/Jun/2024:21:47:07 +0000] "GET /app/provision/macaddress/phonebook.xml HTTP/1.1" 401 23 "-" "Grandstream Model HW WP825 SW 1.0.11.60 DevId macaddress"
in log 2 and log 4, you'll see two 401 unauthorized for two different config filename possibilities. You'll also see the 3rd column in both is web_auth_user. This is the username set in "phonebook.download.username" My understanding is this 3rd column is the basic http auth username.
In log 1 and 3, both requests begin with 401, get resent using digest authentication and on the second line end with successful 200 status. neither line has a username in column 3. my understanding is this indicates http digest authentication.
I don't believe I'm missing any settings available to end users. I am not sure if basic http auth is possible or advised. however, I know that it's not possible to download the phonebook.xml on fusionpbx with the wp825 using http auth enabled out of the box.