I want kamailio to authenticate itself to a host if it is sent a 401, just as that host is expected to authenticate if kamailio sends it one. I am not finding much in the online probably because I am not searching for the right terms. Does anyone have any experience in this?
Thanks! -Eric
http://kamailio.org/docs/modules/3.0.x/modules_k/uac.html
On Sunday 17 April 2011, Eric Hiller wrote:
I want kamailio to authenticate itself to a host if it is sent a 401, just as that host is expected to authenticate if kamailio sends it one. I am not finding much in the online probably because I am not searching for the right terms. Does anyone have any experience in this?
Thanks! -Eric
You can use the UAC module for that, and it might work, but basically that's not something a proxy should be doing. The sending UA should respond to the challenge.
-- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
On Apr 17, 2011, at 6:29 PM, Eric Hiller mrraptor98@hotmail.com wrote:
I want kamailio to authenticate itself to a host if it is sent a 401, just as that host is expected to authenticate if kamailio sends it one. I am not finding much in the online probably because I am not searching for the right terms. Does anyone have any experience in this?
Thanks! -Eric _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
In followup and closing to this thread and my loose_routing security thread, this is how my project ended up-
This setup was designed to: - Whitelist my gateway IPs. - Any initial INVITES from non-gateway IPs will be authorized and the dialog be added to a simple htable based on callid - Any in-dialog will do a lookup on the htable so that authorization isn't required on bye and the like.
This was all successfully accomplished EXCEPT for the fact that while I could authorize asterisk, asterisk then INSISTED upon authorizing kamailio as well (It would send kamailio a 401 Unauthorized for any invite sent to asterisk). So then I started working on using UAC to authorize to asterisk in response to the 401. Kamailio appends a new branch but asterisk does not work with branches, instead it only saw that the CSEQ for the 2nd invite with the authorize header had not incremented and it therefore ignores the 2nd invite and instead sends another 401. I then tried playing with a system to hackishly manually increment the CSEQ, but this would have to be done ONLY for messages destined to asterisk, the other side of the call would have to be -1 CSEQ. This became a major issue because it is quite difficult to tell WHAT ip you are sending the packet to. Instead I abandoned this craziness in favor of a much much simpler whitelisted gateways in htable approach. The only downside is now to add a new gateway involved editing the config file and reloading kamailio. At some point I could put this in SQL and just update the gateways daily ie. DASH.
Thanks for all the help everyone, if it looks like I missed something please let me know as I would have preferred doing as above, but what I have now is functional.
-Eric
CC: sr-users@lists.sip-router.org From: abalashov@evaristesys.com Date: Sun, 17 Apr 2011 19:25:31 -0400 To: sr-users@lists.sip-router.org Subject: Re: [SR-Users] Authenticate if receiving 401
You can use the UAC module for that, and it might work, but basically that's not something a proxy should be doing. The sending UA should respond to the challenge.
-- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
On Apr 17, 2011, at 6:29 PM, Eric Hiller mrraptor98@hotmail.com wrote:
I want kamailio to authenticate itself to a host if it is sent a 401, just as that host is expected to authenticate if kamailio sends it one. I am not finding much in the online probably because I am not searching for the right terms. Does anyone have any experience in this?
Thanks! -Eric _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Am 07.05.2011 01:03, schrieb Eric Hiller:
The only downside is now to add a new gateway involved editing the config file and reloading kamailio. At some point I could put this in SQL and just update the gateways daily ie. DASH.
you could store IP adresses in database tables of LCR module and use the from_gw() functions, eg: http://www.kamailio.org/docs/modules/3.1.x/modules/lcr#id2554739
klaus
-
Alex Balashov -
Eric Hiller -
Klaus Darilion -
Sergey Okhapkin