[OpenSIPS-Users] 401 Unauthorized after Authentication Digest
David Peláez
dvlux4 at gmail.com
Tue May 30 11:43:58 EDT 2017
Hello everyone.
My name is David, I am new on openisips and I am having some troubles to
place calls from a Sip Phone in Opensips to an Asterisk Server.
The opsnsips server and the asterisk are connected throughout a SIP Trunk.
When I make a call from phone A in Opensips to Phone B in Asterisk
authorization digest is required from Asterisk Server, I can responce with
the credentials but a new 401 Unauthorized message is send back to
Opensips, and then the message is forwarded to phone A.
Please find attached the pcap file from wireshark and the opensips.cfg file.
Any advice about this?
Best regards
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170530/499d881a/attachment-0001.html>
-------------- next part --------------
#
# OpenSIPS residential configuration script
# by OpenSIPS Solutions <team at opensips-solutions.com>
#
# This script was generated via "make menuconfig", from
# the "Residential" scenario.
# You can enable / disable more features / functionalities by
# re-generating the scenario with different options.#
#
# Please refer to the Core CookBook at:
# http://www.opensips.org/Resources/DocsCookbooks
# for a explanation of possible statements, functions and parameters.
#
####### Global Parameters #########
log_level=4
log_stderror=no
log_facility=LOG_LOCAL0
#fork = yes
children=4
/* uncomment the following lines to enable debugging */
#debug_mode=yes
/* uncomment the next line to enable the auto temporary blacklisting of
not available destinations (default disabled) */
#disable_dns_blacklist=no
/* uncomment the next line to enable IPv6 lookup after IPv4 dns
lookup failures (default disabled) */
#dns_try_ipv6=yes
/* comment the next line to enable the auto discovery of local aliases
based on revers DNS on IPs */
#auto_aliases=no
alias=192.168.1.12
###alias=172.16.100.10
listen=udp:192.168.1.12:5060 # CUSTOMIZE ME
listen=tcp:192.168.1.12:5060 # CUSTOMIZE ME
####### Modules Section ########
#set module path
mpath="/lib64/opensips/modules/"
#### SIGNALING module
loadmodule "signaling.so"
#### StateLess module
loadmodule "sl.so"
#### Transaction Module
loadmodule "tm.so"
modparam("tm", "fr_timeout", 5)
modparam("tm", "fr_inv_timeout", 30)
modparam("tm", "restart_fr_on_each_reply", 0)
modparam("tm", "onreply_avp_mode", 1)
#### Record Route Module
loadmodule "rr.so"
/* do not append from tag to the RR (no need for this script) */
modparam("rr", "append_fromtag", 1)
#### UAC_AUTH
loadmodule "uac_auth.so"
modparam("uac_auth","auth_username_avp","$avp(user)")
modparam("uac_auth","auth_password_avp","$avp(pass)")
modparam("uac_auth","auth_realm_avp","$avp(realm)")
###modparam("uac_auth","credential","2000:172.16.100.10:2000")
### UAC
loadmodule "uac.so"
modparam("uac","restore_mode","auto")
modparam("uac","restore_passwd","my_secret_passwd")
modparam("uac","rr_from_store_param","my_Fparam")
modparam("uac","rr_to_store_param","my_Tparam")
####modparam("uac","force_dialog",yes)
#### MAX ForWarD module
loadmodule "maxfwd.so"
#### SIP MSG OPerationS module
loadmodule "sipmsgops.so"
#### FIFO Management Interface
loadmodule "mi_fifo.so"
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
modparam("mi_fifo", "fifo_mode", 0666)
#### URI module
loadmodule "uri.so"
modparam("uri", "use_uri_table", 0)
#### MYSQL module
loadmodule "db_mysql.so"
#### USeR LOCation module
loadmodule "usrloc.so"
modparam("usrloc", "nat_bflag", "NAT")
modparam("usrloc", "db_mode", 2)
modparam("usrloc", "db_url",
"mysql://root:opensips@localhost/opensips") # CUSTOMIZE ME
#### REGISTRAR module
loadmodule "registrar.so"
modparam("registrar", "tcp_persistent_flag", "TCP_PERSISTENT")
/* uncomment the next line not to allow more than 10 contacts per AOR */
#modparam("registrar", "max_contacts", 10)
#### ACCounting module
loadmodule "acc.so"
/* what special events should be accounted ? */
modparam("acc", "early_media", 0)
modparam("acc", "report_cancels", 0)
/* by default we do not adjust the direct of the sequential requests.
if you enable this parameter, be sure the enable "append_fromtag"
in "rr" module */
modparam("acc", "detect_direction", 0)
#### AUTHentication modules
loadmodule "auth.so"
loadmodule "auth_db.so"
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth_db|uri", "db_url",
"mysql://root:opensips@localhost/opensips") # CUSTOMIZE ME
modparam("auth_db", "load_credentials", "")
#### ALIAS module
loadmodule "alias_db.so"
modparam("alias_db", "db_url",
"mysql://root:opensips@localhost/opensips") # CUSTOMIZE ME
#### DIALPLAN module
loadmodule "dialplan.so"
modparam("dialplan", "db_url",
"mysql://root:opensips@localhost/opensips") # CUSTOMIZE ME
#### DYNAMMIC ROUTING module
loadmodule "drouting.so"
modparam("drouting", "db_url",
"mysql://root:opensips@localhost/opensips") # CUSTOMIZE ME
loadmodule "proto_udp.so"
loadmodule "proto_tcp.so"
####### Routing Logic ########
# main request routing logic
route{
$avp(user):="2000";
$avp(pass):="2000";
$avp(realm):="asterisk";
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
}
if (has_totag()) {
# sequential request withing a dialog should
# take the path determined by record-routing
if (loose_route()) {
if (is_method("BYE")) {
# do accounting even if the transaction fails
do_accounting("log","failed");
} else if (is_method("INVITE")) {
# even if in most of the cases is useless, do RR for
# re-INVITEs alos, as some buggy clients do change route set
# during the dialog.
record_route();
}
# route it out to whatever destination was set by loose_route()
# in $du (destination URI).
route(relay);
} else {
if ( is_method("ACK") ) {
if ( t_check_trans() ) {
# non loose-route, but stateful ACK; must be an ACK after
# a 487 or e.g. 404 from upstream server
t_relay();
exit;
} else {
# ACK without matching transaction ->
# ignore and discard
exit;
}
}
sl_send_reply("404","Not here");
}
exit;
}
# CANCEL processing
if (is_method("CANCEL"))
{
if (t_check_trans())
t_relay();
exit;
}
t_check_trans();
if ( !(is_method("REGISTER") || is_from_gw() ) ) {
if (from_uri==myself)
{
# authenticate if from local subscriber
# authenticate all initial non-REGISTER request that pretend to be
# generated by local subscriber (domain from FROM URI is local)
if (!proxy_authorize("", "subscriber")) {
proxy_challenge("", "0");
exit;
}
if (!db_check_from()) {
sl_send_reply("403","Forbidden auth ID");
exit;
}
consume_credentials();
# caller authenticated
} else {
# if caller is not local, then called number must be local
if (!uri==myself) {
send_reply("403","Relay forbidden");
exit;
}
}
}
# preloaded route checking
if (loose_route()) {
xlog("L_ERR",
"Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
if (!is_method("ACK"))
sl_send_reply("403","Preload Route denied");
exit;
}
# record routing
if (!is_method("REGISTER|MESSAGE"))
record_route();
# account only INVITEs
if (is_method("INVITE")) {
do_accounting("log");
}
if (!uri==myself) {
append_hf("P-hint: outbound\r\n");
route(relay);
}
# requests for my domain
if (is_method("PUBLISH|SUBSCRIBE"))
{
sl_send_reply("503", "Service Unavailable");
exit;
}
if (is_method("REGISTER"))
{
# authenticate the REGISTER requests
if (!www_authorize("", "subscriber"))
{
www_challenge("", "0");
exit;
}
if (!db_check_to())
{
sl_send_reply("403","Forbidden auth ID");
exit;
}
if ( proto==TCP || 0 ) setflag(TCP_PERSISTENT);
if (!save("location"))
sl_reply_error();
exit;
}
if ($rU==NULL) {
# request with no Username in RURI
sl_send_reply("484","Address Incomplete");
exit;
}
#Anything starting with 2 goes to the callserver 2
if ($rU=~"^2") {
uac_replace_from("sip:2000 at 192.168.1.12");
uac_replace_to("sip:201 at 172.16.100.10");
$rd="172.16.100.10";
#record_route();
route(relay);
exit;
}
#t_on_failure("digest_response");
#t_relay();
# apply DB based aliases
alias_db_lookup("dbaliases");
# apply transformations from dialplan table
dp_translate("0","$rU/$rU");
if ($rU=~"^\+[1-9][0-9]+$") {
if (!do_routing("0")) {
send_reply("500","No PSTN Route found");
exit;
}
route(relay);
exit;
}
# do lookup with method filtering
if (!lookup("location","m")) {
if (!db_does_uri_exist()) {
send_reply("420","Bad Extension");
exit;
}
t_newtran();
t_reply("404", "Not Found");
exit;
}
# when routing via usrloc, log the missed calls also
do_accounting("log","missed");
route(relay);
}
route[relay] {
# for INVITEs enable some additional helper routes
if (is_method("INVITE")) {
t_on_branch("per_branch_ops");
t_on_reply("handle_nat");
t_on_failure("digest_response"); ###Antes ("missed_call")
record_route(); ###Antes nada aqui
}
if (!t_relay()) {
send_reply("500","Internal Error");
};
exit;
}
branch_route[per_branch_ops] {
xlog("new branch at $ru\n");
}
onreply_route[handle_nat] {
xlog("incoming reply\n");
}
failure_route[digest_response] {
if (t_check_status("(401)|(407)")) {
uac_auth();
t_relay();
record_route();
#xlog("got challenged \n");
#if(uac_auth()) {
# xlog("auth was succesfull \n");
# t_relay();
exit;
}
}
failure_route[missed_call] {
if (t_was_cancelled()) {
exit;
}
# uncomment the following lines if you want to block client
# redirect based on 3xx replies.
##if (t_check_status("3[0-9][0-9]")) {
##t_reply("404","Not found");
## exit;
##}
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.pcapng
Type: application/x-pcapng
Size: 2156912 bytes
Desc: not available
URL: <http://lists.opensips.org/pipermail/users/attachments/20170530/499d881a/attachment-0001.bin>
More information about the Users
mailing list