[OpenSIPS-Users] uac_auth

Rik Broers RBroers at motto.nl
Wed Nov 27 17:11:07 CET 2013


This is an old mail which was stopped by message size!

I’ve since built a workaround with an asterisk in between.

Regards,
Met vriendelijke groet,

Rik Broers
Voice Engineer


From: users-bounces at lists.opensips.org [mailto:users-bounces at lists.opensips.org] On Behalf Of Rik Broers
Sent: woensdag 6 november 2013 11:54
To: OpenSIPS users mailling list
Subject: Re: [OpenSIPS-Users] uac_auth

Tried this, and it does change the behaviour! But no fix.
With pedantic on yes I simply do not get any replies after my second invite(first with auth)

Opensips                            asterisk                               Asterlisk log
Invite                    → 
                                ←           401
Ack                        →
Invite with auth →                                         Ignoring SIP message because of retransmit (INVITE Seqno 28625, ours 28625)
Invite with auth →                                         Ignoring SIP message because of retransmit (INVITE Seqno 28625, ours 28625)
Invite with auth →                                         Ignoring SIP message because of retransmit (INVITE Seqno 28625, ours 28625)
…
…
Cancel
---------------
With pedantic on NO I get the 401 loop. Seems like Asterisk is allocating a new SIP Dialog for every invite.

Opensips                                                           asterisk                               Asterisk log
Invite                                                    → 
                                                                ←           401 nonce 1
Ack                                                       →
Invite with auth nonce 1              →                                          Nothing interesting
                                                               ←           401 nonce 2
Ack                                                       →
Invite with auth nonce 2              →
                                                               ←           401 nonce 3
Ack                                                       →
Invite with auth nonce 3              →
…
                                                                                                              Destroying SIP dialog SDaaa01-9275d8409c312151d5e61
        Auto destroying SIP dialog 'SDaaa01-9275d8409c312151d5e61
        Destroying SIP dialog SDiccc7012-1609275d8409c312151d5e61
        Auto destroying SIP dialog 'SDccc7012-11609275d8409c312151d5e61
Last 2 log rules repeat for every loop done.

Sorry for asterisk overload ;) I know this is an opensips list!

Met vriendelijke groet,

Rik Broers
Voice Engineer


From: users-bounces at lists.opensips.org [mailto:users-bounces at lists.opensips.org] On Behalf Of Flavio Goncalves
Sent: woensdag 6 november 2013 10:48
To: OpenSIPS users mailling list
Subject: Re: [OpenSIPS-Users] uac_auth

Hi Rik, 

Try to use pedantic=no (sip.conf) on Asterisk. it stops some SIP checkings  for Asterisk. Usually this is the default setting, but it is worth checking. 

Best regards, 


Flavio E. Goncalves


2013/11/6 Rik Broers <RBroers at motto.nl>
Hmm I can see that increasing Cseq on proxy would create some out of sequence problems on the original UA.
What else could I try to manage what I want?
 
Maybe B2Bua scenario for opensips?
 
I’m unable to relay the 401 Unauth back to the UA as the call will be stopped then :/ 
Is there a way to trigger the ua to answer me so I get an increased Cseq and that I can transform that message into an invite with auth?
 
I’m also looking into asterisk to see if I can modify it to accept my Same-Cseq invite.
 
Met vriendelijke groet,
 
Rik Broers
Voice Engineer
 
 
From: Bogdan-Andrei Iancu [mailto:bogdan at opensips.org] 
Sent: maandag 4 november 2013 12:26

To: Rik Broers
Cc: OpenSIPS users mailling list
Subject: Re: [OpenSIPS-Users] uac_auth
 
Hi Rik,

The truth is in the middle. The second invite from opensips (the one with credentials) must not be considered a retransmission - it has a totally different VIA branch -> different transaction.
Also, OpenSIPS should increase the CSeq when answering to the challenge, but not able to do so as OpenSIPS is mainly a SIP proxy, not a b2bua.

Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 11/04/2013 12:22 PM, Rik Broers wrote: 
Hello Bogdan,
 
Yes I’m very sure that the proper credentials are used ;)
 
I’m going to try and calculate the response according to the RFC.
 
One thing I found is that asterisk seems to ignore my second invite with Authorization because of retransmit?
It seems that I should increase my CSEQ on second invite.. How can I do this neatly?
 
[Nov  4 11:08:25] DEBUG[22804]: chan_sip.c:22448 handle_incoming: **** Received INVITE (5) - Command in SIP INVITE
[Nov  4 11:08:25] DEBUG[22804]: chan_sip.c:22467 handle_incoming: Ignoring SIP message because of retransmit (INVITE Seqno 12481, ours 12481) Ignoring this INVITE request
 
 
Met vriendelijke groet,
 
Rik Broers
Voice Engineer
 
 
From: Bogdan-Andrei Iancu [mailto:bogdan at opensips.org] 
Sent: vrijdag 1 november 2013 12:34
To: Rik Broers
Cc: OpenSIPS users mailling list
Subject: Re: [OpenSIPS-Users] uac_auth
 
Hello Rik,

It may be silly , but are you sure you filled in the proper credentials (realm, auth user and password) ??

Also, based on how the response for digest is computed, you can double check the OpenSIPS auth response (calculating the HA and md5 sums as per RFC 2617).

Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 11/01/2013 01:09 PM, Rik Broers wrote: 
Yes, thats correct. Opensips sends out an invite with Authorization header as response on the 401 unauthorized.
This authorization header contains the correct Nonce.
Instead of being authorized I receive another 401 unauthorized which opensips replies again with new nonce and so on until max branches is reached.
 
Met vriendelijke groet,
Regards,
 
Rik Broers
Voice Engineer
 
 
From: Bogdan-Andrei Iancu [mailto:bogdan at opensips.org] 
Sent: vrijdag 1 november 2013 11:49
To: OpenSIPS users mailling list
Cc: Rik Broers
Subject: Re: [OpenSIPS-Users] uac_auth
 
Hello Rik,

So OpenSIPS generates a new INVITE with credentials (as a result of the uac_auth() ), but this is also rejected ?

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 10/31/2013 11:46 AM, Rik Broers wrote: 
Hi,
 
I’m trying to use the uac_auth() function to add Authorization to my invite after I received a 401 Unauthorized. 
I call the function in the failure route and according to Debug the authorization header is inserted. I also see this in a trace.
Unfortunately I haven’t been able to authorize successfully, double checked everything and also tried with phones to ensure the credentials are correct and my asterisk is working.
I’m filling the credentials with a modparam not with AVP.
 
In DBG I see this: DBG:uac_auth:build_authorization_hdr: hdr is <Authorization: Digest username="**", realm="**", nonce="31d5b0d9", uri="***;user=phone", response="ea344343187f27c668be8fdc3acf8c5a", algorithm=MD5#015#012>
So it seems to match correctly.
 
I’m authenticating against Asterisk. And my failure route looks like this:
failure_route[FailPBX]{
        xlog("Im in failpbx route");
        uac_auth();
        t_on_failure("FailPBX");
        t_relay();
}
 
What happens is the following
-> Invite
<- 100 Giving a try
<- 401 Unauthorized (Unique nonce 1)
-> ACK
-> invite with authorization header (unique Nonce 1)
<- 100 Giving a try
<- 401 Unauthorized (Unique nonce 2)
-> invite with authorization header (unique Nonce 2)
….. and so on until ERROR:tm:add_uac: maximum number of branches exceeded.
 
 
Only thing left for me now is to verify that the Digest calculated is correct. How can I do this? What functions should I use on linux..
Below my authorization challenge.

 
Or are there any other things I’m missing?
Im using NOTICE:core:main: version: opensips 1.10.0-notls (x86_64/linux)
 
 
Met vriendelijke groet,
Regards,
 
Rik Broers
Voice Engineer
 
 
 
_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



More information about the Users mailing list