<div>I tried to use all of the algorithms which fhoss can support, but they did not work.</div><div><br></div><div>Fortunately, I found that my UE did not send the digest response for the received nonce to the server after 401 unauthorized.</div><div>(digest response content is empty in the 2nd register packet.)</div><div><br></div><div>I think this is the cause of the authentication problem. So I changed to another smartphone, but the same problem has occurred.</div><div><br></div><!-- begin signature --><!-- end signature --><div><br></div><div><br></div><div>-----Original Message-----</div><div>From: "Yuriy Gorlichenko" <ovoshlook@gmail.com></div><div>To: "오택경" <ohtk@kaist.ac.kr>;</div><div>Cc: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>;</div><div>Sent: 2021-08-24 (화) 21:37:36 (UTC+09:00)</div><div>Subject: Re: Re: [SR-Users] [VoLTE] 401 unauthorized error</div><div><br></div><div dir="auto">I do not remember, to be honest, if IMS supports basic md5 auth algorithms. You need to go through specs about algo supported. Also try to look into docs of kamailio ims modules which algorithms it implements. If you find one which satisfies your device for negotiation then just use it. If no - try to update your client to have support of one of the proper algorithms.</div><div><br></div><div><div dir="ltr">On Tue, 24 Aug 2021, 10:45 오택경, <<a href="mailto:ohtk@kaist.ac.kr" target="_blank">ohtk@kaist.ac.kr</a>> wrote:</div><blockquote style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex;"><div>Thank you for your help!</div><div><br></div><div>I looked into the UE's IMS register request as you told me. (the content of request is shown below)</div><div><br></div><div>As my thinking, my UE can support only two algorithms: hmac-sha1-96 and hmac-md5-96.</div><div><br></div><div>But fhoss cannot support above auth algorithms (fhoss can support digest-akav1-md5, digest-akav2-md5, digest, http_digest_md5, early-ims-security, nass-bundled and sip digest).</div><div><br></div><div>What algorithm should I switch to for authentication in fhoss? Or do I have to change the UE device (smartphone) for auth?</div><div><br></div><div>Very thanks,</div><div>Taekkyung Oh.</div><div><br></div><div><strong><em><IMS register request from the UE></em></strong></div><div><strong>Frame 4153: 840 bytes on wire (6720 bits), 840 bytes captured (6720 bits) on interface 0</strong></div><div><strong>Ethernet II, Src: 02:42:ac:16:00:16 (02:42:ac:16:00:16), Dst: 02:42:ac:16:00:06 (02:42:ac:16:00:06)</strong></div><div><strong>Internet Protocol Version 4, Src: 172.22.0.22, Dst: 172.22.0.6</strong></div><div><strong>User Datagram Protocol, Src Port: 2152, Dst Port: 2152</strong></div><div><strong>GPRS Tunneling Protocol</strong></div><div><strong>Internet Protocol Version 4, Src: 192.168.101.3, Dst: 172.22.0.21</strong></div><div><strong>Transmission Control Protocol, Src Port: 5060, Dst Port: 5060, Seq: 1021, Ack: 1, Len: 750</strong></div><div><strong>[2 Reassembled TCP Segments (1770 bytes): #4147(1020), #4153(750)]</strong></div><div><strong>Session Initiation Protocol (REGISTER)</strong></div><div><strong> Request-Line: REGISTER sip:<a href="http://ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">ims.mnc001.mcc001.3gppnetwork.org</a> SIP/2.0</strong></div><div><strong> Method: REGISTER</strong></div><div><strong> Request-URI: sip:<a href="http://ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">ims.mnc001.mcc001.3gppnetwork.org</a></strong></div><div><strong> Request-URI Host Part: <a href="http://ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">ims.mnc001.mcc001.3gppnetwork.org</a></strong></div><div><strong> [Resent Packet: False]</strong></div><div><strong> Message Header</strong></div><div><strong> To: <<a href="mailto:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org</a>></strong></div><div><strong> SIP to address: <a href="mailto:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org</a></strong></div><div><strong> SIP to address User Part: 001010000031094</strong></div><div><strong> SIP to address Host Part: <a href="http://ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">ims.mnc001.mcc001.3gppnetwork.org</a></strong></div><div><strong> From: <<a href="mailto:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org</a>>;tag=qyecbkJ</strong></div><div><strong> SIP from address: <a href="mailto:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org</a></strong></div><div><strong> SIP from address User Part: 001010000031094</strong></div><div><strong> SIP from address Host Part: <a href="http://ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">ims.mnc001.mcc001.3gppnetwork.org</a></strong></div><div><strong> SIP from tag: qyecbkJ</strong></div><div><strong> Contact: <<a href="http://sip:001010000031094@192.168.101.3:5060" rel="noreferrer" target="_blank">sip:001010000031094@192.168.101.3:5060</a>>;+sip.instance="<urn:gsma:imei:86355804-632692-0>";+g.3gpp.accesstype="cellular2";audio;video;+g.3gpp.smsip;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"</strong></div><div><strong> Contact URI: <a href="http://sip:001010000031094@192.168.101.3:5060" rel="noreferrer" target="_blank">sip:001010000031094@192.168.101.3:5060</a></strong></div><div><strong> Contact URI User Part: 001010000031094</strong></div><div><strong> Contact URI Host Part: 192.168.101.3</strong></div><div><strong> Contact URI Host Port: 5060</strong></div><div><strong> Contact parameter: +sip.instance="<urn:gsma:imei:86355804-632692-0>"</strong></div><div><strong> Contact parameter: +g.3gpp.accesstype="cellular2"</strong></div><div><strong> Contact parameter: audio</strong></div><div><strong> Contact parameter: video</strong></div><div><strong> Contact parameter: +g.3gpp.smsip</strong></div><div><strong> Contact parameter: +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"\r\n</strong></div><div><strong> Expires: 600000</strong></div><div><strong> P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100010019B01</strong></div><div><strong> access-type: 3GPP-E-UTRAN-FDD</strong></div><div><strong> utran-cell-id-3gpp: 0010100010019B01</strong></div><div><strong> Supported: path,sec-agree</strong></div><div><strong> Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,UPDATE,PRACK,NOTIFY,MESSAGE,REFER</strong></div><div><strong> Require: sec-agree</strong></div><div><strong> Proxy-Require: sec-agree</strong></div><div><strong> [truncated]Security-Client: ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=des-ede3-cbc;spi-c=10559690;spi-s=65664952;port-c=31112;port-s=31803,ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=aes-cbc;spi-c=10559690;spi-s=65664</strong></div><div><strong> [Security-mechanism]: ipsec-3gpp</strong></div><div><strong> alg: hmac-sha-1-96</strong></div><div><strong> prot: esp</strong></div><div><strong> mod=trans</strong></div><div><strong> ealg: des-ede3-cbc</strong></div><div><strong> spi-c: 10559690 (0x00a120ca)</strong></div><div><strong> spi-s: 65664952 (0x03e9f7b8)</strong></div><div><strong> port-c: 31112</strong></div><div><strong> port-s: 31803</strong></div><div><strong> [Security-mechanism]: ipsec-3gpp</strong></div><div><strong> alg: hmac-sha-1-96</strong></div><div><strong> prot: esp</strong></div><div><strong> mod=trans</strong></div><div><strong> ealg: aes-cbc</strong></div><div><strong> spi-c: 10559690 (0x00a120ca)</strong></div><div><strong> spi-s: 65664952 (0x03e9f7b8)</strong></div><div><strong> port-c: 31112</strong></div><div><strong> port-s: 31803</strong></div><div><strong> [Security-mechanism]: ipsec-3gpp</strong></div><div><strong> alg: hmac-sha-1-96</strong></div><div><strong> prot: esp</strong></div><div><strong> mod=trans</strong></div><div><strong> ealg: null</strong></div><div><strong> spi-c: 10559690 (0x00a120ca)</strong></div><div><strong> spi-s: 65664952 (0x03e9f7b8)</strong></div><div><strong> port-c: 31112</strong></div><div><strong> port-s: 31803</strong></div><div><strong> [Security-mechanism]: ipsec-3gpp</strong></div><div><strong> alg: hmac-md5-96</strong></div><div><strong> prot: esp</strong></div><div><strong> mod=trans</strong></div><div><strong> ealg: des-ede3-cbc</strong></div><div><strong> spi-c: 10559690 (0x00a120ca)</strong></div><div><strong> spi-s: 65664952 (0x03e9f7b8)</strong></div><div><strong> port-c: 31112</strong></div><div><strong> port-s: 31803</strong></div><div><strong> [Security-mechanism]: ipsec-3gpp</strong></div><div><strong> alg: hmac-md5-96</strong></div><div><strong> prot: esp</strong></div><div><strong> mod=trans</strong></div><div><strong> ealg: aes-cbc</strong></div><div><strong> spi-c: 10559690 (0x00a120ca)</strong></div><div><strong> spi-s: 65664952 (0x03e9f7b8)</strong></div><div><strong> port-c: 31112</strong></div><div><strong> port-s: 31803</strong></div><div><strong> [Security-mechanism]: ipsec-3gpp</strong></div><div><strong> alg: hmac-md5-96</strong></div><div><strong> prot: esp</strong></div><div><strong> mod=trans</strong></div><div><strong> ealg: null</strong></div><div><strong> spi-c: 10559690 (0x00a120ca)</strong></div><div><strong> spi-s: 65664952 (0x03e9f7b8)</strong></div><div><strong> port-c: 31112</strong></div><div><strong> port-s: 31803</strong></div><div><strong> Authorization: Digest username="<a href="mailto:001010000031094@ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">001010000031094@ims.mnc001.mcc001.3gppnetwork.org</a>",realm="<a href="http://ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">ims.mnc001.mcc001.3gppnetwork.org</a>",uri="sip:<a href="http://ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">ims.mnc001.mcc001.3gppnetwork.org</a>",nonce="",response=""</strong></div><div><strong> Authentication Scheme: Digest</strong></div><div><strong> Username: "<a href="mailto:001010000031094@ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">001010000031094@ims.mnc001.mcc001.3gppnetwork.org</a>"</strong></div><div><strong> Realm: "<a href="http://ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">ims.mnc001.mcc001.3gppnetwork.org</a>"</strong></div><div><strong> Authentication URI: "sip:<a href="http://ims.mnc001.mcc001.3gppnetwork.org" rel="noreferrer" target="_blank">ims.mnc001.mcc001.3gppnetwork.org</a>"</strong></div><div><strong> Nonce Value: ""</strong></div><div><strong> Digest Authentication Response: ""</strong></div><div><strong> Call-ID: <a href="mailto:txecbknlk@192.168.101.3" rel="noreferrer" target="_blank">txecbknlk@192.168.101.3</a></strong></div><div><strong> CSeq: 1 REGISTER</strong></div><div><strong> Sequence Number: 1</strong></div><div><strong> Method: REGISTER</strong></div><div><strong> Max-Forwards: 70</strong></div><div><strong> Via: SIP/2.0/TCP 192.168.101.3:5060;branch=z9hG4bKrzecbkJzsat7Xk6daqm5;rport</strong></div><div><strong> Transport: TCP</strong></div><div><strong> Sent-by Address: 192.168.101.3</strong></div><div><strong> Sent-by port: 5060</strong></div><div><strong> Branch: z9hG4bKrzecbkJzsat7Xk6daqm5</strong></div><div><strong> RPort: rport</strong></div><div><strong> User-Agent: IM-client/OMA1.0 HW-Rto/V1.0</strong></div><div><strong> Content-Length: 0</strong></div><div><br></div><div><br></div><div><br></div><div><br></div><div>-----Original Message-----</div><div>From: "Yuriy Gorlichenko" <<a href="mailto:ovoshlook@gmail.com" rel="noreferrer" target="_blank">ovoshlook@gmail.com</a>></div><div>To: "Kamailio (SER) - Users Mailing List" <<a href="mailto:sr-users@lists.kamailio.org" rel="noreferrer" target="_blank">sr-users@lists.kamailio.org</a>>;</div><div>Cc:</div><div>Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00)</div><div>Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error</div><div><br></div><div dir="auto"><div dir="auto"><br></div>Hi 401 is normal response for sip auth<div dir="auto">It is also normal response for IMS service</div><div dir="auto">Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change </div><div dir="auto">I believe you did not check further request processing.<br><div dir="auto"><div dir="ltr">On Mon, 23 Aug 2021, 18:19 오택경, <<a href="mailto:ohtk@kaist.ac.kr" rel="noreferrer noreferrer" target="_blank">ohtk@kaist.ac.kr</a>> wrote:</div><blockquote style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex;"><div>Hi.</div><div><br></div><div>I am implementing the VoLTE setup with the dockerized project (<a href="https://github.com/herlesupreeth/docker_open5gs" rel="noopener noreferrer noreferrer noreferrer noreferrer" target="_blank">https://github.com/herlesupreeth/docker_open5gs</a>).</div><div><br></div><div>I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.</div><div><br></div><div>How can I fix this problem?</div><div><br></div><div>I will share the discussion note in which I tried to solve some problems including the above one.</div><div>: <a href="https://github.com/herlesupreeth/docker_open5gs/issues/55" rel="noopener noreferrer noreferrer noreferrer noreferrer" target="_blank">https://github.com/herlesupreeth/docker_open5gs/issues/55</a></div><div><br></div><div>Very thanks,</div><div>Taekkyung Oh.</div><table><tbody><tr><td><img src="https://gov-dooray.com/mail-receipts?img=413230714c615274-2594eb34eb561664-2ac64ba085c6925f-2ac64baff2f15e36.gif" border="0"></td></tr></tbody></table>__________________________________________________________<br>Kamailio - Users Mailing List - Non Commercial Discussions<br> * <a href="mailto:sr-users@lists.kamailio.org" rel="noreferrer noreferrer noreferrer" target="_blank">sr-users@lists.kamailio.org</a><br>Important: keep the mailing list in the recipients, do not reply only to the sender!<br>Edit mailing list options or unsubscribe:<br> * <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a></blockquote></div></div></div><div>__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * <a href="mailto:sr-users@lists.kamailio.org" rel="noreferrer" target="_blank">sr-users@lists.kamailio.org</a> Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></blockquote></div>-----Original Message-----<div>From: "Yuriy Gorlichenko" <<a href="mailto:ovoshlook@gmail.com" target="_blank" rel="noreferrer">ovoshlook@gmail.com</a>></div><div>To: "Kamailio (SER) - Users Mailing List" <<a href="mailto:sr-users@lists.kamailio.org" target="_blank" rel="noreferrer">sr-users@lists.kamailio.org</a>>;</div><div>Cc:</div><div>Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00)</div><div>Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error</div><div><br></div><div dir="auto"><div dir="auto"><br></div>Hi 401 is normal response for sip auth<div dir="auto">It is also normal response for IMS service</div><div dir="auto">Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change </div><div dir="auto">I believe you did not check further request processing.<br><div dir="auto"><div dir="ltr">On Mon, 23 Aug 2021, 18:19 오택경, <<a href="mailto:ohtk@kaist.ac.kr" rel="noreferrer noreferrer" target="_blank">ohtk@kaist.ac.kr</a>> wrote:</div><blockquote style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex;"><div>Hi.</div><div><br></div><div>I am implementing the VoLTE setup with the dockerized project (<a href="https://github.com/herlesupreeth/docker_open5gs" rel="noopener noreferrer noreferrer noreferrer noreferrer" target="_blank">https://github.com/herlesupreeth/docker_open5gs</a>).</div><div><br></div><div>I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.</div><div><br></div><div>How can I fix this problem?</div><div><br></div><div>I will share the discussion note in which I tried to solve some problems including the above one.</div><div>: <a href="https://github.com/herlesupreeth/docker_open5gs/issues/55" rel="noopener noreferrer noreferrer noreferrer noreferrer" target="_blank">https://github.com/herlesupreeth/docker_open5gs/issues/55</a></div><div><br></div><div>Very thanks,</div><div>Taekkyung Oh.</div><table><tbody><tr><td><img src="https://gov-dooray.com/mail-receipts?img=413230714c615274-2594eb34eb561664-2ac64ba085c6925f-2ac64baff2f15e36.gif" border="0"></td></tr></tbody></table>__________________________________________________________<br>Kamailio - Users Mailing List - Non Commercial Discussions<br> * <a href="mailto:sr-users@lists.kamailio.org" rel="noreferrer noreferrer noreferrer" target="_blank">sr-users@lists.kamailio.org</a><br>Important: keep the mailing list in the recipients, do not reply only to the sender!<br>Edit mailing list options or unsubscribe:<br> * <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a></blockquote></div></div></div><div>__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * <a href="mailto:sr-users@lists.kamailio.org" target="_blank" rel="noreferrer">sr-users@lists.kamailio.org</a> Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank" rel="noreferrer">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a></div>
<table><tbody><tr><td><img src="https://gov-dooray.com/mail-receipts?img=72477731726e2f46-2594eb34eb561664-2ac8127a20881b2f-2ac813cba772d6be.gif" border="0"></td></tr></tbody></table>
<!--[if mso]>
<table style ="display:none"><tr><td><img src="https://gov-dooray.com/mail-receipts?img=6451543132732b44-2594eb34eb561664-2ac8d4005c279aa6-2ac8d647cc409ebb.gif" border="0"></td></tr></table>
<![endif]-->
<!--[if !mso]><!-- -->
<table style ="visibility: hidden;"><tr><td><img src="https://gov-dooray.com/mail-receipts?img=6451543132732b44-2594eb34eb561664-2ac8d4005c279aa6-2ac8d647cc409ebb.gif" border="0"></td></tr></table>
<!--[endif]-->