[OpenSIPS-Users] I never see 404 not found

sajjad purmohseni spurmohseni at yahoo.com
Fri Sep 7 16:45:24 CEST 2012


Hello Muhammad; thanks for your pursuing;

Yes, second Invite or Register contains authentication header; this is the scenario I mean

1 client -------------------------------Invite------------------------------->  proxy
2client <-------------------407 with nonce----------------------------  Proxy
3client ------------Invite with calculated nonce-------------------> Proxy
4client <----------------100 giving a try--------------------------------- Proxy
5client <----------------180 ringing--------------------------------------- Proxy

I mean when client uses invalid "From URI" in authentication header in the third step; proxy should send an "404 not found"; but as I see; server just sends 407 message. As you know, if URI is valid, and calculated response in authentication header is invalid server sends 407 message too. This causes I cannot understand the URI binding is valid or not. I except if "from URI" binding is invalid in authentication process; server send me an 404 not found message. Is it possible and typical option in SIP proxy servers? 

Thank you

--------------------------------------------------
kind regards;
        Sajad Pourmohseni
 




________________________________
 From: Muhammad Shahzad <shaheryarkh at googlemail.com>
To: sajjad purmohseni <spurmohseni at yahoo.com> 
Cc: "users at lists.opensips.org" <users at lists.opensips.org> 
Sent: Friday, September 7, 2012 6:07 PM
Subject: Re: [OpenSIPS-Users] I never see 404 not found
 

Does second INVITE contains Proxy-Authorization header? Can you please paste SIP trace here?

Thank you.



On Fri, Sep 7, 2012 at 2:22 PM, sajjad purmohseni <spurmohseni at yahoo.com> wrote:

Hello Muhammad  thanks for reply.
>
>
>I think you mean invalidity of the "To URI"; But I am telling about invalidity of the "From URI" or the caller contact. In authentication process I expect to receive "404 not found" after sending second Invite or Register messages; but I receive 401 or 407. Is int normal action by server or it can send "404 not found" about invalid "From URI" to tell client that the contact URI is invalid?
>
>--------------------------------------------------
>kind regards;
>        Sajad Pourmohseni
> 
>
>
>
>
>
>
>________________________________
> From: Muhammad Shahzad <shaheryarkh at googlemail.com>
>To: sajjad purmohseni <spurmohseni at yahoo.com>; OpenSIPS users mailling list <users at lists.opensips.org> 
>Sent: Friday, September 7, 2012 1:45 PM
>Subject: Re: [OpenSIPS-Users] I never see 404 not found
> 
>
>
>Yes because you have enabled proxy authentication of every method except REGISTER. Here is where you are doing this.
>
>
># authenticate if from local subscriber (uncomment to enable auth)
> # authenticate all initial non-REGISTER request that pretend to be
> # generated by local subscriber (domain from FROM URI is local)
> if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
> ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
> {
>  if (!proxy_authorize("", "subscriber")) {
>   proxy_challenge("", "0");
>   exit;
>  }
>
>
>This gets called BEFORE you check for destination, which is right way to do it. The caller should authenticate itself before callee is checked.
>
>
>Thank you.
>
>
>
>On Thu, Sep 6, 2012 at 5:07 PM, sajjad purmohseni <spurmohseni at yahoo.com> wrote:
>
>Hi all
>> 
>>I use sipp tool accompanying opensips server to generate normal SIP traffic. I successfuly enable authentication in opensips; added some users in database and performed authentication proccess in register and invite requests. I see valid authentication as username and passwords are valid and failure in authentication as password is invalid. After sending first invite and receiving 407 (proxy auth req) message; In my scenario an Invite message is sent with authentication header containing valid nonce. My problem is that when URI of re-Invite request is invalid I receive 407 instead of 404 (not found). 
>>I'm so grateful about any help.
>> 
>> 
>>This is my opensips config file (opensips.cfg):
>> 
>> 
>> 
>> 
>> 
>>#
>># $Id: opensips.cfg 5503 2009-03-22 16:22:32Z bogdan_iancu $
>>#
>># OpenSIPS basic configuration script
>>#     by Anca Vamanu <anca at voice-system.ro>
>>#
>># Please refer to the Core CookBook at:
>>#      http://www.opensips.org/index.php?n=Resources.DocsCookbooks
>># for a explanation of possible statements, functions and parameters.
>>#
>>
>>####### Global Parameters #########
>>#debug=3
>>log_stderror=no
>>log_facility=LOG_LOCAL0
>>fork=yes
>>children=4
>>/* uncomment the following lines to enable debugging */
>>debug=6
>>#fork=no
>>#log_stderror=yes
>>/* uncomment the next line to disable TCP (default on) */
>>#disable_tcp=yes
>>/* uncomment the next line to enable the auto temporary blacklisting of 
>>   not available destinations (default disabled) */
>>#disable_dns_blacklist=no
>>/* uncomment the next line to enable IPv6 lookup after IPv4 dns 
>>   lookup failures (default disabled) */
>>#dns_try_ipv6=yes
>>/* uncomment the next line to disable the auto discovery of local aliases
>>   based on revers DNS on IPs (default on) */
>>#auto_aliases=no
>>/* uncomment the following lines to enable TLS support  (default off) */
>>#disable_tls = no
>>#listen = tls:your_IP:5061
>>#tls_verify_server = 1
>>#tls_verify_client = 1
>>#tls_require_client_certificate = 0
>>#tls_method = TLSv1
>>#tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
>>#tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
>>#tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"
>>port=5060
>>/* uncomment and configure the following line if you want opensips to 
>>   bind on a specific interface/port/proto (default bind on all available) */
>>listen=udp:194.225.238.244:5060
>>
>>####### Modules Section ########
>>#set module path
>>mpath="/usr/local/lib64/opensips/modules/"
>>/* uncomment next line for MySQL DB support */
>>loadmodule "db_mysql.so"
>>loadmodule "signaling.so"
>>loadmodule "sl.so"
>>loadmodule "tm.so"
>>loadmodule "rr.so"
>>loadmodule "maxfwd.so"
>>loadmodule "usrloc.so"
>>loadmodule "registrar.so"
>>loadmodule "textops.so"
>>loadmodule "mi_fifo.so"
>>loadmodule "uri_db.so"
>>loadmodule "uri.so"
>>loadmodule "xlog.so"
>>loadmodule "acc.so"
>>/* uncomment next lines for MySQL based authentication support 
>>   NOTE: a DB (like db_mysql) module must be also loaded */
>>loadmodule "auth.so"
>>loadmodule "auth_db.so"
>>/* uncomment next line for aliases support
>>   NOTE: a DB (like db_mysql) module must be also loaded */
>>#loadmodule "alias_db.so"
>>/* uncomment next line for multi-domain support
>>   NOTE: a DB (like db_mysql) module must be also loaded
>>   NOTE: be sure and enable multi-domain support in all used
 modules
>>         (see "multi-module params" section ) */
>>#loadmodule "domain.so"
>>/* uncomment the next two lines for presence server support
>>   NOTE: a DB (like db_mysql) module must be also loaded */
>>#loadmodule "presence.so"
>>#loadmodule "presence_xml.so"
>>
>># ----------------- setting module-specific parameters ---------------
>>
>># ----- mi_fifo params -----
>>modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
>>
>># ----- rr params -----
>># add value to ;lr param to cope with most of the UAs
>>modparam("rr", "enable_full_lr", 1)
>># do not append from tag to the RR (no need for this script)
>>modparam("rr", "append_fromtag", 0)
>>
>># ----- registrar params -----
>>modparam("registrar", "method_filtering", 1)
>>/* uncomment the next line to disable parallel forking via location */
>># modparam("registrar", "append_branches", 0)
>>/* uncomment the next line not to allow more than 10 contacts per AOR */
>>#modparam("registrar", "max_contacts", 10)
>>
>># ----- usrloc params -----
>>modparam("usrloc", "db_mode",   0)
>>/* uncomment the following lines if you want to enable DB persistency
>>   for location entries */
>>#modparam("usrloc", "db_mode",   2)
>>#modparam("usrloc", "db_url",
>># "mysql://opensips:opensipsrw@localhost/opensips")
>>
>># ----- uri_db params -----
>>/* by default we disable the DB support in the module as we do not need it
>>   in this configuration */
>>modparam("uri_db", "use_uri_table", 0)
>>modparam("uri_db", "db_url", "")
>>
>># ----- acc params -----
>>/* what sepcial events should be accounted ? */
>>modparam("acc", "early_media", 1)
>>modparam("acc", "report_ack", 1)
>>modparam("acc", "report_cancels", 1)
>>/* by default ww do not adjust the direct of the sequential requests.
>>   if you enable this parameter, be sure the enable "append_fromtag"
>>   in "rr" module */
>>modparam("acc", "detect_direction", 0)
>>/* account triggers (flags) */
>>modparam("acc", "failed_transaction_flag", 3)
>>modparam("acc", "log_flag", 1)
>>modparam("acc", "log_missed_flag", 2)
>>/* uncomment the following lines to enable DB accounting also */
>>modparam("acc", "db_flag", 1)
>>modparam("acc", "db_missed_flag", 2)
>>
>># ----- auth_db params -----
>>/* uncomment the following lines if you want to enable the DB based
>>   authentication */
>>modparam("auth_db", "calculate_ha1", yes)
>>modparam("auth_db", "password_column", "password")
>>modparam("auth_db", "db_url",
>> "mysql://opensips:opensipsrw@localhost/opensips")
>>modparam("auth_db", "load_credentials", "")
>>
>># ----- alias_db params -----
>>/* uncomment the following lines if you want to enable the DB based
>>   aliases */
>>#modparam("alias_db", "db_url",
>># "mysql://opensips:opensipsrw@localhost/opensips")
>>
>># ----- domain params -----
>>/* uncomment the following lines to enable multi-domain detection
>>   support */
>>#modparam("domain", "db_url",
>># "mysql://opensips:opensipsrw@localhost/opensips")
>>#modparam("domain", "db_mode", 1)   # Use caching
>>
>># ----- multi-module params -----
>>/* uncomment the following line if you want to enable multi-domain support
>>   in the modules (dafault off) */
>>#modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)
>>
>># ----- presence params -----
>>/* uncomment the following lines if you want to enable presence */
>>#modparam("presence|presence_xml", "db_url",
>># "mysql://opensips:opensipsrw@localhost/opensips")
>>#modparam("presence_xml", "force_active", 1)
>>#modparam("presence", "server_address", "sip:192.168.1.2:5060")
>>
>>####### Routing Logic ########
>>
>># main request routing logic
>>route{
>> if (!mf_process_maxfwd_header("10")) {
>>  sl_send_reply("483","Too Many Hops");
>>  exit;
>> }
>> if (has_totag()) {
>>  # sequential request withing a dialog should
>>  # take the path determined by record-routing
>>  if (loose_route()) {
>>   if (is_method("BYE")) {
>>    setflag(1); # do accounting ...
>>    setflag(3); # ... even if the transaction fails
>>   } else if (is_method("INVITE")) {
>>    # even if in most of the cases is useless, do RR for
>>    # re-INVITEs alos, as some buggy clients do change route set
>>    # during the dialog.
>>    record_route();
>>   }
>>   # route it out to whatever destination was set by loose_route()
>>   # in $du (destination URI).
>>   route(1);
>>  } else {
>>   /* uncomment the following lines if
 you want to enable presence */
>>   ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
>>   ## # in-dialog subscribe requests
>>   ## route(2);
>>   ## exit;
>>   ##}
>>   if ( is_method("ACK") ) {
>>    if ( t_check_trans() ) {
>>     # non loose-route, but stateful ACK; must be an ACK after 
>>     # a 487 or e.g. 404 from upstream server
>>     t_relay();
>>     exit;
>>    } else {
>>     # ACK without matching transaction ->
>>     # ignore and discard
>>     exit;
>>    }
>>   }  
>>   sl_send_reply("404","Not
 here");
>>  }
>>  exit;
>> }
>> #initial requests
>> # CANCEL processing
>> if (is_method("CANCEL"))
>> {
>>  if (t_check_trans())
>>   t_relay();
>>  exit;
>> }
>> t_check_trans();
>> # authenticate if from local subscriber (uncomment to enable auth)
>> # authenticate all initial non-REGISTER request that pretend to be
>> # generated by local subscriber (domain from FROM URI is local)
>> if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
>> ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
>> {
>>  if (!proxy_authorize("", "subscriber")) {
>>   proxy_challenge("", "0");
>>   exit;
>>  }
>>  if (!check_from()) {
>>   sl_send_reply("403","Forbidden auth ID");
>>   exit;
>>  }
>> 
>>  consume_credentials();
>>  # caller authenticated
>> }
>> # preloaded route checking
>> if (loose_route()) {
>>  xlog("L_ERR",
>>  "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
>>  if (!is_method("ACK"))
>>   sl_send_reply("403","Preload Route denied");
>>  exit;
>> }
>> # record routing
>> if (!is_method("REGISTER|MESSAGE"))
>>  record_route();
>> # account only INVITEs
>> if (is_method("INVITE")) {
>>  setflag(1); # do accounting
>> }
>> if (!uri==myself)
>> ## replace with following line if multi-domain support is used
>> ##if (!is_uri_host_local())
>> {
>>  append_hf("P-hint: outbound\r\n"); 
>>  # if you have some interdomain connections via TLS
>>  ##if($rd=="tls_domain1.net") {
>>  ## t_relay("tls:domain1.net");
>>  ## exit;
>>  ##} else if($rd=="tls_domain2.net") {
>>  ## t_relay("tls:domain2.net");
>>  ## exit;
>>  ##}
>>  route(1);
>> }
>> # requests for my domain
>> ## uncomment this if you want to enable presence server 
>> ##   and comment the next 'if' block
>> ##   NOTE: uncomment also the definition of route[2] from  below
>> ##if( is_method("PUBLISH|SUBSCRIBE"))
>> ##  route(2);
>> if (is_method("PUBLISH"))
>> {
>>  sl_send_reply("503", "Service Unavailable");
>>  exit;
>> }
>> 
>> if (is_method("REGISTER"))
>> {
>>  # authenticate the REGISTER requests (uncomment to enable auth)
>>  if (!www_authorize("", "subscriber"))
>>  {
>>   www_challenge("", "0");
>>   exit;
>>  }
>>  if (!check_to()) 
>>  {
>>   sl_send_reply("403","Forbidden auth ID");
>>   exit;
>>  }
>>  if (!save("location"))
>>   sl_reply_error();
>>  exit;
>> }
>> if ($rU==NULL) {
>>  # request with no Username in RURI
>>  sl_send_reply("484","Address Incomplete");
>>  exit;
>> }
>> # apply DB based aliases (uncomment to enable)
>> ##alias_db_lookup("dbaliases");
>> if (!lookup("location")) {
>>  switch ($retcode) {
>>   case -1:
>>   case -3:
>>    t_newtran();
>>    t_reply("404", "Not Found");
>>    exit;
>>   case -2:
>>    sl_send_reply("405", "Method Not Allowed");
>>    exit;
>>  }
>> }
>> # when routing via usrloc, log the missed calls also
>> setflag(2);
>> route(1);
>>}
>>
>>route[1] {
>> # for INVITEs enable some additional helper routes
>> if (is_method("INVITE")) {
>>  t_on_branch("2");
>>  t_on_reply("2");
>>  t_on_failure("1");
>> }
>> if (!t_relay()) {
>>  sl_reply_error();
>> };
>> exit;
>>}
>>
>># Presence route
>>/* uncomment the whole following route for enabling presence
>>   NOTE: do not forget to enable the call of this route from the main
>>     route */
>>##route[2]
>>##{
>>## if (!t_newtran())
>>## {
>>##  sl_reply_error();
>>##  exit;
>>## };
>>##
>>## if(is_method("PUBLISH"))
>>## {
>>##  handle_publish();
>>##  t_release();
>>## }
>>## else
>>## if( is_method("SUBSCRIBE"))
>>## {
>>##  handle_subscribe();
>>##  t_release();
>>## }
>>##
>>## exit;
>>##}
>>
>>branch_route[2] {
>> xlog("new branch at $ru\n");
>>}
>>
>>onreply_route[2] {
>> xlog("incoming reply\n");
>>}
>>
>>failure_route[1] {
>> if (t_was_cancelled()) {
>>  exit;
>> }
>> # uncomment the following lines if you want to block client 
>> # redirect based on 3xx replies.
>> ##if (t_check_status("3[0-9][0-9]")) {
>> ##t_reply("404","Not found");
>> ## exit;
>> ##}
>> # uncomment the following lines if you want to redirect the failed 
>> # calls to a different new destination
>> ##if (t_check_status("486|408")) {
>> ## sethostport("192.168.2.100:5060");
>> ## # do not set the missed call flag again
>> ## t_relay();
>> ##}
>>}
>>
>>
>>
>>
>>_______________________________________________
>>Users mailing list
>>Users at lists.opensips.org
>>http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
>
>
>-- 
>Muhammad Shahzad
>-----------------------------------
>CISCO Rich Media Communication Specialist (CRMCS)
>CISCO Certified Network Associate (CCNA)
>Cell: +92 334 422 40 88
>MSN: shari_786pk at hotmail.com
>Email: shaheryarkh at googlemail.com
>
>
>


-- 
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +92 334 422 40 88
MSN: shari_786pk at hotmail.com
Email: shaheryarkh at googlemail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120907/4af9652e/attachment-0001.htm>


More information about the Users mailing list