[OpenSIPS-Users] OpenSIPS CP 9.3.2 password mode ha1_sha256 for adding new user
jacky z
zjack0992 at gmail.com
Thu Sep 15 07:56:46 UTC 2022
Correction on my comments. It is a client side issue. Thank you!
On Thu, Sep 15, 2022 at 3:40 PM jacky z <zjack0992 at gmail.com> wrote:
> After checking the log in the client side, here are some interesting
> findings:
>
> Here is the what the client side received:
>
> WWW-Authenticate: Digest realm="sip.domain.com",
> nonce="3mKlesEwotxnM5nLMMLgQA63E6VTKsTFpEkK7OkoE4QA", qop="auth,auth-int",
> algorithm=SHA-256
>
> Then the client side logs show:
>
> 15:25:51.858 ...Unsupported digest algorithm "SHA-256"
> 15:25:51.859 ....SIP registration error: Invalid/unsupported digest
> algorithm
>
> Firstly, if the server side did not include SHA-256 in the SIP message,
> there would be no such issue. I don't understand why it needs to inform the
> client side "SHA-256". Secondly, if the client side just simply ignored
> "SHA-256", there would be no such issue. However, the client side treated
> it as not supported.
>
> On Thu, Sep 15, 2022 at 3:16 PM jacky z <zjack0992 at gmail.com> wrote:
>
>> Hi Bogdan-Andrei,
>>
>> I tried either specifying it or not. Neither worked. Here is the script
>> when I tried:
>>
>> www_challenge("","auth,auth-int","SHA-256");
>>
>> I also tried specifying the realm in the above code. When the above is
>> used, there is no such error, but always returns 401. I checked the column
>> ha1_sha256 and the hash of the password is correct.
>>
>> Thanks!
>>
>> On Thu, Sep 15, 2022 at 2:07 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
>> wrote:
>>
>>> Hi,
>>>
>>> In your opensips.cfg, when doing auth challenge to the end points, do
>>> you specify the SHA256 alg?
>>>
>>> https://opensips.org/html/docs/modules/3.2.x/auth.html#func_www_challenge
>>>
>>> Regards,
>>>
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>> https://www.opensips-solutions.com
>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>> https://www.opensips.org/events/Summit-2022Athens/
>>>
>>> On 9/15/22 7:18 AM, jacky z wrote:
>>>
>>> Hi Team,
>>>
>>> Does ha1_sha256 work in general opensips config settings? I have the
>>> following in the scripts:
>>>
>>> modparam("auth_db", "calculate_ha1", 0)
>>>
>>> modparam("auth_db", "password_column", "ha1_sha256")
>>>
>>>
>>> but got the following error in the log:
>>>
>>>
>>> /usr/sbin/opensips[28261]: ERROR:auth:auth_calc_HA1: Incorrect length of
>>> pre-hashed credentials for the algorithm "MD5": 32 expected, 64 provided
>>>
>>>
>>> It seems though the sha256 was specified, but the server still
>>> calculated MD5 and compared with the database column ha1_sha256.
>>>
>>> On Tue, Aug 9, 2022 at 5:39 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
>>> wrote:
>>>
>>>> Hi Bela,
>>>>
>>>> The OCP does not support ha1_sha256 AFAIK. Consider opening a feature
>>>> request here https://github.com/OpenSIPS/opensips-cp/issues
>>>>
>>>> Regards,
>>>>
>>>> Bogdan-Andrei Iancu
>>>>
>>>> OpenSIPS Founder and Developer
>>>> https://www.opensips-solutions.com
>>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>> https://www.opensips.org/events/Summit-2022Athens/
>>>>
>>>> On 6/29/22 9:10 AM, Bela H wrote:
>>>>
>>>> Hi all,
>>>>
>>>>
>>>>
>>>> Is there any way to add new subscriber from OpenSIPS CP 9.3.2 using
>>>> password mode ha1_sha256?
>>>>
>>>> The ha1 (MD5(username:realm:password)) works fine but I had no luck
>>>> with the value generation for the ha1_sha256 field in “subscriber” table.
>>>>
>>>>
>>>>
>>>> I have this setting:
>>>>
>>>> modparam("auth_db", "calculate_ha1", 0)
>>>>
>>>> modparam("auth_db", "password_column", "ha1_sha256")
>>>>
>>>>
>>>>
>>>> Thanks!
>>>>
>>>> Bela
>>>>
>>>>
>>>>
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220915/2ab151c5/attachment.html>
More information about the Users
mailing list