[OpenSIPS-Users] uac_auth
Bogdan-Andrei Iancu
bogdan at opensips.org
Mon Nov 4 12:25:30 CET 2013
Hi Rik,
The truth is in the middle. The second invite from opensips (the one
with credentials) must not be considered a retransmission - it has a
totally different VIA branch -> different transaction.
Also, OpenSIPS should increase the CSeq when answering to the challenge,
but not able to do so as OpenSIPS is mainly a SIP proxy, not a b2bua.
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
On 11/04/2013 12:22 PM, Rik Broers wrote:
>
> Hello Bogdan,
>
>
>
> Yes I'm very sure that the proper credentials are used ;)
>
>
>
> I'm going to try and calculate the response according to the RFC.
>
>
>
> One thing I found is that asterisk seems to ignore my second invite
> with Authorization because of retransmit?
>
> It seems that I should increase my CSEQ on second invite.. How can I
> do this neatly?
>
>
>
> [Nov 4 11:08:25] DEBUG[22804]: chan_sip.c:22448 handle_incoming: ****
> Received INVITE (5) - Command in SIP INVITE
>
> [Nov 4 11:08:25] DEBUG[22804]: chan_sip.c:22467 handle_incoming:
> Ignoring SIP message because of retransmit (INVITE Seqno 12481, ours
> 12481) Ignoring this INVITE request
>
>
>
>
>
> Met vriendelijke groet,
>
>
>
> *Rik Broers*
>
> */Voice Engineer/**//*
>
>
>
>
>
> *From:*Bogdan-Andrei Iancu [mailto:bogdan at opensips.org]
> *Sent:* vrijdag 1 november 2013 12:34
> *To:* Rik Broers
> *Cc:* OpenSIPS users mailling list
> *Subject:* Re: [OpenSIPS-Users] uac_auth
>
>
>
> Hello Rik,
>
> It may be silly , but are you sure you filled in the proper
> credentials (realm, auth user and password) ??
>
> Also, based on how the response for digest is computed, you can double
> check the OpenSIPS auth response (calculating the HA and md5 sums as
> per RFC 2617).
>
> Regards,
>
> Bogdan-Andrei Iancu
> OpenSIPS Founder and Developer
> http://www.opensips-solutions.com
>
>
> On 11/01/2013 01:09 PM, Rik Broers wrote:
>
> Yes, thats correct. Opensips sends out an invite with
> Authorization header as response on the 401 unauthorized.
>
> This authorization header contains the correct Nonce.
>
> Instead of being authorized I receive another 401 unauthorized
> which opensips replies again with new nonce and so on until max
> branches is reached.
>
>
>
> Met vriendelijke groet,
>
> Regards,
>
>
>
> *Rik Broers*
>
> */Voice Engineer/*
>
>
>
>
>
> *From:*Bogdan-Andrei Iancu [mailto:bogdan at opensips.org]
> *Sent:* vrijdag 1 november 2013 11:49
> *To:* OpenSIPS users mailling list
> *Cc:* Rik Broers
> *Subject:* Re: [OpenSIPS-Users] uac_auth
>
>
>
> Hello Rik,
>
> So OpenSIPS generates a new INVITE with credentials (as a result
> of the uac_auth() ), but this is also rejected ?
>
> Regards,
>
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>
> http://www.opensips-solutions.com
>
>
> On 10/31/2013 11:46 AM, Rik Broers wrote:
>
> Hi,
>
>
>
> I'm trying to use the uac_auth() function to add Authorization
> to my invite after I received a 401 Unauthorized.
>
> I call the function in the failure route and according to
> Debug the authorization header is inserted. I also see this in
> a trace.
>
> Unfortunately I haven't been able to authorize successfully,
> double checked everything and also tried with phones to ensure
> the credentials are correct and my asterisk is working.
>
> I'm filling the credentials with a modparam not with AVP.
>
>
>
> In DBG I see this: DBG:uac_auth:build_authorization_hdr: hdr
> is <Authorization: Digest username="**", realm="**",
> nonce="31d5b0d9", uri="***;user=phone",
> response="ea344343187f27c668be8fdc3acf8c5a",
> algorithm=MD5#015#012>
>
> So it seems to match correctly.
>
>
>
> I'm authenticating against Asterisk. And my failure route
> looks like this:
>
> failure_route[FailPBX]{
>
> xlog("Im in failpbx route");
>
> uac_auth();
>
> t_on_failure("FailPBX");
>
> t_relay();
>
> }
>
>
>
> What happens is the following
>
> -> Invite
>
> <- 100 Giving a try
>
> <- 401 Unauthorized (Unique nonce 1)
>
> -> ACK
>
> -> invite with authorization header (unique Nonce 1)
>
> <- 100 Giving a try
>
> <- 401 Unauthorized (Unique nonce 2)
>
> -> invite with authorization header (unique Nonce 2)
>
> ..... and so on until ERROR:tm:add_uac: maximum number of
> branches exceeded.
>
>
>
>
>
> Only thing left for me now is to verify that the Digest
> calculated is correct. *How can I do this?* What functions
> should I use on linux..
>
> Below my authorization challenge.
>
> imap://bogdan@opensips.org:993/fetch%3EUID%3E.INBOX%3E191220?header=quotebody&part=1.2&filename=image005.png
>
>
>
> Or are there any other things I'm missing?
>
> Im using NOTICE:core:main: version: opensips 1.10.0-notls
> (x86_64/linux)
>
>
>
>
>
> Met vriendelijke groet,
>
> Regards,
>
>
>
> *Rik Broers*
>
> */Voice Engineer/*
>
>
>
>
>
>
>
> _______________________________________________
>
> Users mailing list
>
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20131104/bb5f427f/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 3285 bytes
Desc: not available
URL: <http://lists.opensips.org/pipermail/users/attachments/20131104/bb5f427f/attachment-0001.png>
More information about the Users
mailing list