[OpenSIPS-Users] Dialog module and uac_auth

Bogdan-Andrei Iancu bogdan at voice-system.ro
Mon Jan 4 12:16:01 CET 2010


Hi Brian,

opensipslist at encambio.com wrote:
> Hello Bogdan,
>
> An jeu., déc 24, 2009, Bogdan-Andrei Iancu schrieb:
>   
>> opensipslist at encambio.com wrote:
>>     
>>> A while ago it was clear that uac_auth is of limited utility,
>>> due to the SIP RFC which requires that each message has a unique
>>> cseq. Calling uac_auth from failure_route produced a new INVITE
>>> with a proxy-auth header that didn't have a new cseq however.
>>>
>>> Since the dialog module appeared, I'm wondering how if scripts
>>> can be tweaked to use uac_auth in a SIP RFC compliant way.
>>>
>>> ...or is it still true that doing uac_auth() in failure_route
>>> fills in the proxy-auth header of a INVITE message that has
>>> already expired its cseq (no longer valid in the dialog)?
>>>
>>>       
>> The limitation is still true - even with the dialog support, the
>> dialog can be monitored, but not changed - changing the CSEQ will
>> affect the dialog for its whole lifetime , requiring opensips to
>> constantly update the cseq in all sequential requests....this is
>> more than the dialog module was designed for :)
>>
>>     
> So I suppose you're saying that the only way to use uac_auth is
> to send two INVITEs, one without auth credentials followed by
> on with the proper auth credentials... but without an increased
> cseq number.
>   
right, this is the way it works right now.
> For what is that valuable at all (I thought that OpenSIPS tries
> to be as RFC compliant as possible?) I have the feeling that I'm
> not 'getting it' or using uac_correctly, in a way that the cseq
> numbers are not relevant.
>   
I know the RFC requires the increase of cseq number during auth process, 
but OpenSIPS (as proxy) cannot do this (if it does it, it will alter the 
dialog as created by the caller).
The UAC AUTH without cseq increase is a bit of a hack - not all devices 
do really require the cseq inc. during auth.

> I'm trying to authenticate a UAC phone with a third party SIP to
> PSTN gateway, while having OpenSIPS in between. The gateway rejects
> repeated INVITEs with the same cseq number. The situation is quite
> typical, so I'm sure that OpenSIPS provides a way to solve this
> problem, no?
>   
OpenSIPS itself no (as said, it cannot change elements that are defining 
the dialog). But you may try a trick - when you receive the auth request 
from the GW, ask the caller again for auth (from opensips), so that the 
caller will generate a new proper INVITE you can use for auth. Shortly, 
instead of the generating the second INVITE on opensips, force the 
client (in whatever way) to generate it (to have proper cseq) and you 
simply attach the credentials to the new INVITE when sending it to 
GW.....just an idea, never tried it :)

Regards,
Bogdan




More information about the Users mailing list