[OpenSIPS-Users] uac_auth

Flavio Goncalves flavio at asteriskguide.com
Wed Nov 6 10:47:52 CET 2013


Hi Rik,

Try to use pedantic=no (sip.conf) on Asterisk. it stops some SIP checkings
 for Asterisk. Usually this is the default setting, but it is worth
checking.

Best regards,

Flavio E. Goncalves



2013/11/6 Rik Broers <RBroers at motto.nl>

>  Hmm I can see that increasing Cseq on proxy would create some out of
> sequence problems on the original UA.
>
> What else could I try to manage what I want?
>
>
>
> Maybe B2Bua scenario for opensips?
>
>
>
> I’m unable to relay the 401 Unauth back to the UA as the call will be
> stopped then :/
>
> Is there a way to trigger the ua to answer me so I get an increased Cseq
> and that I can transform that message into an invite with auth?
>
>
>
> I’m also looking into asterisk to see if I can modify it to accept my
> Same-Cseq invite.
>
>
>
> Met vriendelijke groet,
>
>
>
> *Rik Broers*
>
> *Voice Engineer*
>
>
>
>
>
> *From:* Bogdan-Andrei Iancu [mailto:bogdan at opensips.org]
> *Sent:* maandag 4 november 2013 12:26
>
> *To:* Rik Broers
> *Cc:* OpenSIPS users mailling list
> *Subject:* Re: [OpenSIPS-Users] uac_auth
>
>
>
> Hi Rik,
>
> The truth is in the middle. The second invite from opensips (the one with
> credentials) must not be considered a retransmission - it has a totally
> different VIA branch -> different transaction.
> Also, OpenSIPS should increase the CSeq when answering to the challenge,
> but not able to do so as OpenSIPS is mainly a SIP proxy, not a b2bua.
>
> Regards,
>
>
>  Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>
> http://www.opensips-solutions.com
>
>
> On 11/04/2013 12:22 PM, Rik Broers wrote:
>
> Hello Bogdan,
>
>
>
> Yes I’m very sure that the proper credentials are used ;)
>
>
>
> I’m going to try and calculate the response according to the RFC.
>
>
>
> One thing I found is that asterisk seems to ignore my second invite with
> Authorization because of retransmit?
>
> It seems that I should increase my CSEQ on second invite.. How can I do
> this neatly?
>
>
>
> [Nov  4 11:08:25] DEBUG[22804]: chan_sip.c:22448 handle_incoming: ****
> Received INVITE (5) - Command in SIP INVITE
>
> [Nov  4 11:08:25] DEBUG[22804]: chan_sip.c:22467 handle_incoming:
> Ignoring SIP message because of retransmit (INVITE Seqno 12481, ours 12481)
> Ignoring this INVITE request
>
>
>
>
>
> Met vriendelijke groet,
>
>
>
> *Rik Broers*
>
> *Voice Engineer*
>
>
>
>
>
> *From:* Bogdan-Andrei Iancu [mailto:bogdan at opensips.org<bogdan at opensips.org>]
>
> *Sent:* vrijdag 1 november 2013 12:34
> *To:* Rik Broers
> *Cc:* OpenSIPS users mailling list
> *Subject:* Re: [OpenSIPS-Users] uac_auth
>
>
>
> Hello Rik,
>
> It may be silly , but are you sure you filled in the proper credentials
> (realm, auth user and password) ??
>
> Also, based on how the response for digest is computed, you can double
> check the OpenSIPS auth response (calculating the HA and md5 sums as per
> RFC 2617).
>
> Regards,
>
>
>  Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>
> http://www.opensips-solutions.com
>
>
> On 11/01/2013 01:09 PM, Rik Broers wrote:
>
> Yes, thats correct. Opensips sends out an invite with Authorization header
> as response on the 401 unauthorized.
>
> This authorization header contains the correct Nonce.
>
> Instead of being authorized I receive another 401 unauthorized which
> opensips replies again with new nonce and so on until max branches is
> reached.
>
>
>
> Met vriendelijke groet,
>
> Regards,
>
>
>
> *Rik Broers*
>
> *Voice Engineer*
>
>
>
>
>
> *From:* Bogdan-Andrei Iancu [mailto:bogdan at opensips.org<bogdan at opensips.org>]
>
> *Sent:* vrijdag 1 november 2013 11:49
> *To:* OpenSIPS users mailling list
> *Cc:* Rik Broers
> *Subject:* Re: [OpenSIPS-Users] uac_auth
>
>
>
> Hello Rik,
>
> So OpenSIPS generates a new INVITE with credentials (as a result of the
> uac_auth() ), but this is also rejected ?
>
> Regards,
>
>
>
>  Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>
> http://www.opensips-solutions.com
>
>
> On 10/31/2013 11:46 AM, Rik Broers wrote:
>
> Hi,
>
>
>
> I’m trying to use the uac_auth() function to add Authorization to my
> invite after I received a 401 Unauthorized.
>
> I call the function in the failure route and according to Debug the
> authorization header is inserted. I also see this in a trace.
>
> Unfortunately I haven’t been able to authorize successfully, double
> checked everything and also tried with phones to ensure the credentials are
> correct and my asterisk is working.
>
> I’m filling the credentials with a modparam not with AVP.
>
>
>
> In DBG I see this: DBG:uac_auth:build_authorization_hdr: hdr is
> <Authorization: Digest username="**", realm="**", nonce="31d5b0d9",
> uri="***;user=phone", response="ea344343187f27c668be8fdc3acf8c5a",
> algorithm=MD5#015#012>
>
> So it seems to match correctly.
>
>
>
> I’m authenticating against Asterisk. And my failure route looks like this:
>
> failure_route[FailPBX]{
>
>         xlog("Im in failpbx route");
>
>         uac_auth();
>
>         t_on_failure("FailPBX");
>
>         t_relay();
>
> }
>
>
>
> What happens is the following
>
> -> Invite
>
> <- 100 Giving a try
>
> <- 401 Unauthorized (Unique nonce 1)
>
> -> ACK
>
> -> invite with authorization header (unique Nonce 1)
>
> <- 100 Giving a try
>
> <- 401 Unauthorized (Unique nonce 2)
>
> -> invite with authorization header (unique Nonce 2)
>
> ….. and so on until ERROR:tm:add_uac: maximum number of branches exceeded.
>
>
>
>
>
> Only thing left for me now is to verify that the Digest calculated is
> correct. *How can I do this?* What functions should I use on linux..
>
> Below my authorization challenge.
>
> [image:
> imap://bogdan@opensips.org:993/fetch%3EUID%3E.INBOX%3E191220?header=quotebody&part=1.2&filename=image005.png]
>
>
>
> Or are there any other things I’m missing?
>
> Im using NOTICE:core:main: version: opensips 1.10.0-notls (x86_64/linux)
>
>
>
>
>
> Met vriendelijke groet,
>
> Regards,
>
>
>
> *Rik Broers*
>
> *Voice Engineer*
>
>
>
>
>
>
>
> _______________________________________________
>
> Users mailing list
>
> Users at lists.opensips.org
>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20131106/b5a36542/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 3285 bytes
Desc: not available
URL: <http://lists.opensips.org/pipermail/users/attachments/20131106/b5a36542/attachment-0001.png>


More information about the Users mailing list