[OpenSIPS-Users] uac_auth

Rik Broers RBroers at motto.nl
Wed Nov 6 08:02:03 CET 2013


Hmm I can see that increasing Cseq on proxy would create some out of sequence problems on the original UA.
What else could I try to manage what I want?

Maybe B2Bua scenario for opensips?

I'm unable to relay the 401 Unauth back to the UA as the call will be stopped then :/
Is there a way to trigger the ua to answer me so I get an increased Cseq and that I can transform that message into an invite with auth?

I'm also looking into asterisk to see if I can modify it to accept my Same-Cseq invite.

Met vriendelijke groet,

Rik Broers
Voice Engineer



From: Bogdan-Andrei Iancu [mailto:bogdan at opensips.org]
Sent: maandag 4 november 2013 12:26
To: Rik Broers
Cc: OpenSIPS users mailling list
Subject: Re: [OpenSIPS-Users] uac_auth

Hi Rik,

The truth is in the middle. The second invite from opensips (the one with credentials) must not be considered a retransmission - it has a totally different VIA branch -> different transaction.
Also, OpenSIPS should increase the CSeq when answering to the challenge, but not able to do so as OpenSIPS is mainly a SIP proxy, not a b2bua.

Regards,



Bogdan-Andrei Iancu

OpenSIPS Founder and Developer

http://www.opensips-solutions.com

On 11/04/2013 12:22 PM, Rik Broers wrote:
Hello Bogdan,

Yes I'm very sure that the proper credentials are used ;)

I'm going to try and calculate the response according to the RFC.

One thing I found is that asterisk seems to ignore my second invite with Authorization because of retransmit?
It seems that I should increase my CSEQ on second invite.. How can I do this neatly?

[Nov  4 11:08:25] DEBUG[22804]: chan_sip.c:22448 handle_incoming: **** Received INVITE (5) - Command in SIP INVITE
[Nov  4 11:08:25] DEBUG[22804]: chan_sip.c:22467 handle_incoming: Ignoring SIP message because of retransmit (INVITE Seqno 12481, ours 12481) Ignoring this INVITE request


Met vriendelijke groet,

Rik Broers
Voice Engineer



From: Bogdan-Andrei Iancu [mailto:bogdan at opensips.org]
Sent: vrijdag 1 november 2013 12:34
To: Rik Broers
Cc: OpenSIPS users mailling list
Subject: Re: [OpenSIPS-Users] uac_auth

Hello Rik,

It may be silly , but are you sure you filled in the proper credentials (realm, auth user and password) ??

Also, based on how the response for digest is computed, you can double check the OpenSIPS auth response (calculating the HA and md5 sums as per RFC 2617).

Regards,



Bogdan-Andrei Iancu

OpenSIPS Founder and Developer

http://www.opensips-solutions.com

On 11/01/2013 01:09 PM, Rik Broers wrote:
Yes, thats correct. Opensips sends out an invite with Authorization header as response on the 401 unauthorized.
This authorization header contains the correct Nonce.
Instead of being authorized I receive another 401 unauthorized which opensips replies again with new nonce and so on until max branches is reached.

Met vriendelijke groet,
Regards,

Rik Broers
Voice Engineer



From: Bogdan-Andrei Iancu [mailto:bogdan at opensips.org]
Sent: vrijdag 1 november 2013 11:49
To: OpenSIPS users mailling list
Cc: Rik Broers
Subject: Re: [OpenSIPS-Users] uac_auth

Hello Rik,

So OpenSIPS generates a new INVITE with credentials (as a result of the uac_auth() ), but this is also rejected ?

Regards,




Bogdan-Andrei Iancu

OpenSIPS Founder and Developer

http://www.opensips-solutions.com

On 10/31/2013 11:46 AM, Rik Broers wrote:
Hi,

I'm trying to use the uac_auth() function to add Authorization to my invite after I received a 401 Unauthorized.
I call the function in the failure route and according to Debug the authorization header is inserted. I also see this in a trace.
Unfortunately I haven't been able to authorize successfully, double checked everything and also tried with phones to ensure the credentials are correct and my asterisk is working.
I'm filling the credentials with a modparam not with AVP.

In DBG I see this: DBG:uac_auth:build_authorization_hdr: hdr is <Authorization: Digest username="**", realm="**", nonce="31d5b0d9", uri="***;user=phone", response="ea344343187f27c668be8fdc3acf8c5a", algorithm=MD5#015#012>
So it seems to match correctly.

I'm authenticating against Asterisk. And my failure route looks like this:
failure_route[FailPBX]{
        xlog("Im in failpbx route");
        uac_auth();
        t_on_failure("FailPBX");
        t_relay();
}

What happens is the following
-> Invite
<- 100 Giving a try
<- 401 Unauthorized (Unique nonce 1)
-> ACK
-> invite with authorization header (unique Nonce 1)
<- 100 Giving a try
<- 401 Unauthorized (Unique nonce 2)
-> invite with authorization header (unique Nonce 2)
..... and so on until ERROR:tm:add_uac: maximum number of branches exceeded.


Only thing left for me now is to verify that the Digest calculated is correct. How can I do this? What functions should I use on linux..
Below my authorization challenge.
[imap://bogdan@opensips.org:993/fetch%3EUID%3E.INBOX%3E191220?header=quotebody&part=1.2&filename=image005.png]

Or are there any other things I'm missing?
Im using NOTICE:core:main: version: opensips 1.10.0-notls (x86_64/linux)


Met vriendelijke groet,
Regards,

Rik Broers
Voice Engineer







_______________________________________________

Users mailing list

Users at lists.opensips.org<mailto:Users at lists.opensips.org>

http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20131106/f3a37f14/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3285 bytes
Desc: image001.png
URL: <http://lists.opensips.org/pipermail/users/attachments/20131106/f3a37f14/attachment-0001.png>


More information about the Users mailing list