[OpenSER-Users] Proxy Authorization - Two Digests

Ash Rah ash at droshta.net
Fri Apr 25 00:09:40 CEST 2008 

Hi,

On initial INVITEs, both OpenSER and Asterisk send separate nonce and 
X-Lite then sends back two different digests in a single following INVITE :

Proxy-Authorization: Digest
username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848484 at sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorithm=MD5. 


Proxy-Authorization: Digest
username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f977cae40a747d26f7e9c5f",uri="sip:6048484848484 at sip.dummydomain.com",response="361700cce632c00ff70ede5e5126c6ac",algo

The first one is for asterisk, (realm="asterisk") and the second one is 
for OpenSER. But unfortunately OpenSER probably examines the first 
digest which causes failed Proxy Authorization.

Is it possible to instruct OpenSER to inspect both of the digests before 
it makes a decision?

Thanks.


Johansson Olle E wrote:
>
> 24 apr 2008 kl. 00.55 skrev Ash Rah:
>
>> Unfortunately I need to authenticate in both places. Any suggestion will
>> be greatly appreciated.
> SIP authentication is realm based and also built as a 
> challenge-response mechanism. We're not sending username and password 
> in clear text. The server creates a challenge, called a nonce that is 
> the basis of the authentication scheme. If OpenSER authenticates, 
> there's no way for Asterisk to handle the same authentication headers, 
> since Asterisk did not create the challenge (or the 'nonce' as it is 
> called in the header).
>
> If you have different realms on the servers, then X-lite would have to 
> handle that situation. THis is perfectly valid but very few clients 
> support realm based authentication, where you basically set up a list 
> with several sets of credentials, one set per realm (username, 
> secret). Asterisk does support this as a client.
>
> Sorry that I could not come up with a solution, but I hope this 
> explanation helps to understand why it's hard. The usual setup is that 
> you use OpenSER as the authenticating host and set up Asterisk to only 
> trust SIP from OpenSER - by ACL or other means.
>
> /O
>
>>
>>
>> Bogdan-Andrei Iancu wrote:
>>> Hi Ash,
>>>
>>> I guess you first need to decide where you want to have the
>>> authentication done - either on openser, either on asterisk. But it
>>> should be a single place.
>>>
>>> Regards,
>>> Bogdan
>>>
>>> Ash Rah wrote:
>>>> Hello,
>>>>
>>>> I am trying to make a design like below to work.
>>>>
>>>> X-Lite ----- OpenSER ----- Asterisk ----->(PSTN Calls)
>>>>
>>>> X-Lite registers with OpenSer and PSTN calls are routed through
>>>> Asterisk from OpenSER. When a call is sent to Asterisk, Asterisk
>>>> tries to authenticate the user on X-Lite. I maintain same username
>>>> and password for both OpenSER and Asterisk.
>>>>
>>>> Now when an INVITE from X-Lite hits OpenSER, it goes through the
>>>> following script and is asked for Proxy Authorization:
>>>>
>>>> if (!proxy_authorize("","subscriber")) {
>>>>                       proxy_challenge("","0");
>>>>                       exit;
>>>> }
>>>>
>>>> When I dial a PSTN number from X-Lite, X-Lite at some point, ends up
>>>> sending two Digests (one for OpenSER and one for Atserisk) in same
>>>> INVITE but gets stuck with Proxy Authorization failure (from
>>>> OpenSER). If I take off the above proxy_authorize section from
>>>> OpenSER script, everything works fine.
>>>>
>>>> Can anyone suggest a solution to this.
>>>>
>>>> Thanks in advance.
>>>>
>>>>
>>>>
>>>> U 2008/04/23 13:28:42.314669 110.110.110.110:26986 ->
>>>> 120.120.120.120:5060
>>>> INVITE sip:6048484848484 at sip.dummydomain.com SIP/2.0.
>>>> Via: SIP/2.0/UDP
>>>> 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport. 
>>>>
>>>>
>>>> Max-Forwards: 70.
>>>> Contact: <sip:1274229212 at 110.110.110.110:26986>.
>>>> To: "6048484848484"<sip:6048484848484 at sip.dummydomain.com>.
>>>> From: "1274229212"<sip:1274229212 at sip.dummydomain.com>;tag=7d74b26b.
>>>> Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE..
>>>> CSeq: 3 INVITE.
>>>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>>>> SUBSCRIBE, INFO.
>>>> Content-Type: application/sdp.
>>>> Proxy-Authorization: Digest
>>>> username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848484 at sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorithm=MD5. 
>>>>
>>>>
>>>> Proxy-Authorization: Digest
>>>> username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f977cae40a747d26f7e9c5f",uri="sip:6048484848484 at sip.dummydomain.com",response="361700cce632c00ff70ede5e5126c6ac",algo 
>>>>
>>>>
>>>> rithm=MD5.
>>>> User-Agent: X-Lite release 1011s stamp 41150.
>>>> Content-Length: 333.
>>>> .
>>>> v=0.
>>>> o=- 9 2 IN IP4 172.16.40.14.
>>>> s=CounterPath X-Lite 3.0.
>>>> c=IN IP4 172.16.40.14.
>>>> t=0 0.
>>>> m=audio 45136 RTP/AVP 0 101.
>>>> a=alt:1 3 : gpvy8HMY JXNZYRF+ 172.16.40.14 45136.
>>>> a=alt:2 2 : 8S3XPC3M 6q9Z76Pq 192.168.38.1 45136.
>>>> a=alt:3 1 : rISpUdBc PRYZ7B/8 192.168.23.1 45136.
>>>> a=fmtp:101 0-15.
>>>> a=rtpmap:101 telephone-event/8000.
>>>> a=sendrecv.
>>>>
>>>>
>>>> U 2008/04/23 13:28:42.314910 120.120.120.120:5060 ->
>>>> 110.110.110.110:26986
>>>> SIP/2.0 407 Proxy Authentication Required.
>>>> Via: SIP/2.0/UDP
>>>> 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport=26986;received=110.110.110.110. 
>>>>
>>>>
>>>> To:
>>>> "6048484848484"<sip:6048484848484 at sip.dummydomain.com>;tag=058e81974577b8ca6a831d36c0f6fe25.d85d. 
>>>>
>>>>
>>>> From: "1274229212"<sip:1274229212 at sip.dummydomain.com>;tag=7d74b26b.
>>>> Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE..
>>>> CSeq: 3 INVITE.
>>>> Proxy-Authenticate: Digest realm="sip.dummydomain.com",
>>>> nonce="480ee6560e7141c28e990448575d0918ce86a82d".
>>>> Server: OpenSER (1.3.1-notls (i386/linux)).
>>>> Content-Length: 0.
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.openser.org
>>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.openser.org
>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>
> ---
> * Olle E Johansson - oej at edvina.net
> * Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden
>
>
>
>
>

More information about the Users mailing list