[OpenSER-Users] Doesn't "proxy_authorize()" allow credentials if "From" == "Anonymous" <sip:anonymous@anonymous.invalid> ?
Hi, when I do a call with hiddn callerid from my Twinkle it sends an INVITE with:
----------- INVITE sip:1414@my_domain.net SIP/2.0 From: "Anonymous" sip:anonymous@anonymous.invalid;tag=emirn Privacy: id P-Preferred-Identity: "IBC" sip:ibc@my_domain.net -----------
and of course my Openser asks Twinkle for authentication:
----------- SIP/2.0 407 Proxy Authentication Required Proxy-Authenticate: Digest realm="my_domain.net", nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e", qop="auth" -----------
and I see the $rc code of "proxy-authentication()" is -4 (no credentials).
So my Twinkle sends a correct INVITE (CSeq + 1 and "Proxy-Authorization" header):
----------- INVITE sip:1414@my_domain.net SIP/2.0 From: "Anonymous" sip:anonymous@anonymous.invalid;tag=emirn Privacy: id P-Preferred-Identity: "IBC" sip:ibc@my_domain.net Proxy-Authorization: Digest username="ibc", realm="mt_domain.net", nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e", uri="sip:1414@my_domain.net", response="061d82967778669a01e53d168f2da93b", algorithm=MD5, cnonce="9n7ln49l46", qop=auth, nc=00000001 -----------
But "proxy-authentication()" replies again with -4 (no credentials). ----------- SIP/2.0 407 Proxy Authentication Required Proxy-Authenticate: Digest realm="my_domain.net", nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e", qop="auth" -----------
Why? Obviously the INVITE **does include** Proxy-Authorization. Maybe RC3261 says that a server must not challenge for authentication a user with From "Anonymous" sip:anonymous@anonymous.invalid ?
Of course authentication works properly when not hidding callerid.
Thanks for any explanation.
Iñaki Baz Castillo writes:
Why? Obviously the INVITE **does include** Proxy-Authorization. Maybe RC3261 says that a server must not challenge for authentication a user with From "Anonymous" sip:anonymous@anonymous.invalid ?
inaki,
you can configure twinkle to include p-p-i header that includes real from uri and then use information in that to authenticate the caller.
-- juha
El Thursday 05 June 2008 17:34:11 Juha Heinanen escribió:
Iñaki Baz Castillo writes:
Why? Obviously the INVITE **does include** Proxy-Authorization. Maybe RC3261 says that a server must not challenge for authentication a user with From "Anonymous" sip:anonymous@anonymous.invalid ?
inaki,
you can configure twinkle to include p-p-i header that includes real from uri and then use information in that to authenticate the caller.
Hi Juha, I already do it (option enabled). Please, note that the second INVITE Twinkle sends after 407 includes PPI:
P-Preferred-Identity: "IBC" sip:ibc@my_domain.net
So all is correct. The second INVITE includes: - CSeq + 1 - Proxy-Authorization with credentials and realm asked in the 407. But OpenSer "proxy_authorize()" replies again -4 (no credentials).
All seems correct, this is why I think taht maybe RFC3261 disallows chanllenge for request with "From" == "Anonymous" sip:anonymous@anonymous.invalid.
Thanks.
Iñaki Baz Castillo writes:
Twinkle sends after 407 includes PPI:
P-Preferred-Identity: "IBC" sip:ibc@my_domain.net
So all is correct. The second INVITE includes:
- CSeq + 1
- Proxy-Authorization with credentials and realm asked in the 407.
But OpenSer "proxy_authorize()" replies again -4 (no credentials).
did you call [radius-]proxy_authorize with domain and uri user params taken from p-p-i header?
-- juha
Hi!
Do you have the domain hardcoded in the authenticate function? If not openser tries to detect it from the from header (anonymous.invalid) and thus may not find the authorization header.
regards klaus
Iñaki Baz Castillo schrieb:
Hi, when I do a call with hiddn callerid from my Twinkle it sends an INVITE with:
INVITE sip:1414@my_domain.net SIP/2.0 From: "Anonymous" sip:anonymous@anonymous.invalid;tag=emirn Privacy: id P-Preferred-Identity: "IBC" sip:ibc@my_domain.net
and of course my Openser asks Twinkle for authentication:
SIP/2.0 407 Proxy Authentication Required Proxy-Authenticate: Digest realm="my_domain.net", nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e", qop="auth"
and I see the $rc code of "proxy-authentication()" is -4 (no credentials).
So my Twinkle sends a correct INVITE (CSeq + 1 and "Proxy-Authorization" header):
INVITE sip:1414@my_domain.net SIP/2.0 From: "Anonymous" sip:anonymous@anonymous.invalid;tag=emirn Privacy: id P-Preferred-Identity: "IBC" sip:ibc@my_domain.net Proxy-Authorization: Digest username="ibc", realm="mt_domain.net", nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e", uri="sip:1414@my_domain.net", response="061d82967778669a01e53d168f2da93b", algorithm=MD5, cnonce="9n7ln49l46", qop=auth, nc=00000001
But "proxy-authentication()" replies again with -4 (no credentials).
SIP/2.0 407 Proxy Authentication Required Proxy-Authenticate: Digest realm="my_domain.net", nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e", qop="auth"
Why? Obviously the INVITE **does include** Proxy-Authorization. Maybe RC3261 says that a server must not challenge for authentication a user with From "Anonymous" sip:anonymous@anonymous.invalid ?
Of course authentication works properly when not hidding callerid.
Thanks for any explanation.
El Thursday 05 June 2008 17:45:56 Klaus Darilion escribió:
Hi!
Do you have the domain hardcoded in the authenticate function? If not openser tries to detect it from the from header (anonymous.invalid) and thus may not find the authorization header.
No, I've it fixed. Note the 407 nad next INVITE in my first message ;)
----------- SIP/2.0 407 Proxy Authentication Required Proxy-Authenticate: Digest realm="my_domain.net", nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e", qop="auth" -----------
----------- INVITE sip:1414@my_domain.net SIP/2.0 From: "Anonymous" sip:anonymous@anonymous.invalid;tag=emirn Privacy: id P-Preferred-Identity: "IBC" sip:ibc@my_domain.net Proxy-Authorization: Digest username="ibc", realm="mt_domain.net", nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e", uri="sip:1414@my_domain.net", response="061d82967778669a01e53d168f2da93b", algorithm=MD5, cnonce="9n7ln49l46", qop=auth, nc=00000001 -----------
Thanks.
El Thursday 05 June 2008 17:45:56 Klaus Darilion escribió:
Hi!
Do you have the domain hardcoded in the authenticate function? If not openser tries to detect it from the from header (anonymous.invalid) and thus may not find the authorization header.
Opsss, right! I set the Realm fixed just in the proxy_challenge() but not in proxy_authorize(), that's the reason.
Thanks a lot Juha and Klaus for your help :)
-
Iñaki Baz Castillo -
jh@tutpro.com -
Klaus Darilion