Hello everyone, I've been working on a project where I would like to implement RFC6035 https://tools.ietf.org/html/rfc6035
Basically, after the end of the call, our SIP UAC sends a SIP PUBLISH to Kamailio where there are some useful information about media quality (packet loss, mos, etc..) This information is stored by Kamailio with sql_query command...
To achieve this, I implemented a custom route function inside Kamailio cfg file, which handles PUBLISH request, check vq-rtcpxr body and store that information into a database. Here is a snippet code: # AVPF report route route[AVPF] { if(!is_method("PUBLISH")) return; if (has_body("application/vq-rtcpxr")) { $var(x) = "INSERT INTO quality_reporting_raw(body) VALUES ("" + $(rb{s.escape.common}) + "");"; sql_query("cb", "$(var(x))"); ...... reply 200 ok and so on.... exit(0) } }
Everything works fine (almost fine, because the report is stored twice...) if I do the route(AVPF) before authentication, like this...
(main route): # handle AVPF reports route(AVPF);
# authentication route(AUTH);
Instead if I swap these two functions, doing the authentication before publish processing, I have some problems about publish authentication....not for the other requests (INVITE and REGISTER) As far as I know From, To and Request-URI must match the authentication user, in the PUBLISH REQUEST as described here http://kamailio.org/docs/modules/4.2.x/modules/auth_db.html#auth_db.f.auth_c...
I confirm that...I'm sending the SIP PUBLISH from user 101 to user 101, which is currently registered.
My problem is that Kamailio is continuously answering with 407 to the SIP PUBLISH, even if the PUBLISH request has the right Proxy-Authorization header... Digging into the log file, I found this : Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:486]: auth_check(): realm [myhome2.xip.bpt.com] table [subscriber] flags [1] Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]: pre_auth(): auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not found Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:252]: digest_authenticate_hdr(): no credentials
Just for your better understanding I'm doing authorization with db, using subscriber table where there are all the users with 'myhome2.xip.bpt.com' domain... In fact, all INVITEs and REGISTERs are correctly authenticated...
Would you mind address me to find out the problem? Maybe, there's something wrong in my cfg file. Thanks in advance
T,
Tomas Zanet Software Design Department tzanet@came.com [cid:CAME.png]http://www.came.com/ [cid:LogoExpo.png]
[cid:FooterCAME.png]
Il messaggio di posta elettronica contiene informazioni di carattere confidenziale specifiche per il destinatario. Nel caso non ne siate il destinatario, segnalatelo immediatamente al mittente ed eliminate dai vostri archivi quanto ricevuto (compresi i file allegati). L'uso, la diffusione, distribuzione o riproduzione del presente messaggio e dei suoi allegati da parte di ogni altra persona costituisce reato. Rif. Decreto legislativo 30 giugno 2003, n. 196 - Codice in materia di protezione dei dati personali.
The email message contains confidential information specific to the recipient. If you are not the recipient, write it to the sender immediately and delete from your files as received (including file attachments). Use, dissemination, distribution or reproduction of this message and its attachments by any other person is a criminal offense. References Legislative Decree 30 June 2003, n. 196 - Code for the protection of personal data.
Right to opposition: The person concerned who receives the message has the right at any time to oppose its processing for forwarding commercial messages, advertising material or direct sales proposals, by clicking on the e-mail address below (or by traditional postal services by writing to: Came S.p.A., Via Martiri della Libert? 15, 31030 Dosson di Casier (TV) - Italy, or by sending a fax to +39 0422 4941. Furthermore the person concerned may exercise all the rights of access to the personal data as provided by art. 7, Legislative Decree no. 196/2003, including the rights to amendment, updating and deletion, by sending an e-mail to privacy@came.commailto:privacy@came.com.
Hello,
can you check what is the value of the realm parameter in Proxy-Authorization header of PUBLISH? Is it myhome2.xip.bpt.com?
Cheers, Daniel
On 24/04/15 15:31, Tomas Zanet wrote:
Hello everyone,
I’ve been working on a project where I would like to implement RFC6035
https://tools.ietf.org/html/rfc6035
Basically, after the end of the call, our SIP UAC sends a SIP PUBLISH to Kamailio where there are some useful information about media quality (packet loss, mos, etc..)
This information is stored by Kamailio with sql_query command…
To achieve this, I implemented a custom route function inside Kamailio cfg file, which handles PUBLISH request, check vq-rtcpxr body and store that information into a database.
Here is a snippet code:
# AVPF report route
route[AVPF] {
if(!is_method("PUBLISH")) return; if (has_body("application/vq-rtcpxr")) {$var(x) = "INSERT INTO quality_reporting_raw(body) VALUES ("" + $(rb{s.escape.common}) + "");";
sql_query("cb", "$(var(x))"); …… reply 200 ok and so on….exit(0)
}}
Everything works fine (almost fine, because the report is stored twice…) if I do the route(AVPF) before authentication, like this…
(main route):
# handle AVPF reports route(AVPF); # authentication route(AUTH);Instead if I swap these two functions, doing the authentication before publish processing, I have some problems about publish authentication….not for the other requests (INVITE and REGISTER)
As far as I know From, To and Request-URI must match the authentication user, in the PUBLISH REQUEST as described here
http://kamailio.org/docs/modules/4.2.x/modules/auth_db.html#auth_db.f.auth_c...
I confirm that…I’m sending the SIP PUBLISH from user 101 to user 101, which is currently registered.
My problem is that Kamailio is continuously answering with 407 to the SIP PUBLISH, even if the PUBLISH request has the right Proxy-Authorization header…
Digging into the log file, I found this :
Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:486]: auth_check(): realm [myhome2.xip.bpt.com] table [subscriber] flags [1]
Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]: pre_auth(): *auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not found*
Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:252]: *digest_authenticate_hdr(): no credentials*
Just for your better understanding I’m doing authorization with db, using subscriber table where there are all the users with 'myhome2.xip.bpt.com' domain…
In fact, all INVITEs and REGISTERs are correctly authenticated…
Would you mind address me to find out the problem? Maybe, there’s something wrong in my cfg file.
Thanks in advance
T,
*Tomas Zanet* Software Design Department tzanet@came.com
Hello, yes it is. The real parameter in Proxy-Authorization header is the same for PUBLISH and REGISTER and INVIATE as well. I'm doing authentication in this way:
if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; }
Thanks, T.
Da: Daniel-Constantin Mierla [mailto:miconda@gmail.com] Inviato: lunedì 27 aprile 2015 17:56 A: Kamailio (SER) - Users Mailing List; Tomas Zanet Oggetto: Re: [SR-Users] publish authentication problem
Hello,
can you check what is the value of the realm parameter in Proxy-Authorization header of PUBLISH? Is it myhome2.xip.bpt.com?
Cheers, Daniel On 24/04/15 15:31, Tomas Zanet wrote: Hello everyone, I've been working on a project where I would like to implement RFC6035 https://tools.ietf.org/html/rfc6035
Basically, after the end of the call, our SIP UAC sends a SIP PUBLISH to Kamailio where there are some useful information about media quality (packet loss, mos, etc..) This information is stored by Kamailio with sql_query command...
To achieve this, I implemented a custom route function inside Kamailio cfg file, which handles PUBLISH request, check vq-rtcpxr body and store that information into a database. Here is a snippet code: # AVPF report route route[AVPF] { if(!is_method("PUBLISH")) return; if (has_body("application/vq-rtcpxr")) { $var(x) = "INSERT INTO quality_reporting_raw(body) VALUES ("" + $(rb{s.escape.common}) + "");"; sql_query("cb", "$(var(x))"); ...... reply 200 ok and so on.... exit(0) } }
Everything works fine (almost fine, because the report is stored twice...) if I do the route(AVPF) before authentication, like this...
(main route): # handle AVPF reports route(AVPF);
# authentication route(AUTH);
Instead if I swap these two functions, doing the authentication before publish processing, I have some problems about publish authentication....not for the other requests (INVITE and REGISTER) As far as I know From, To and Request-URI must match the authentication user, in the PUBLISH REQUEST as described here http://kamailio.org/docs/modules/4.2.x/modules/auth_db.html#auth_db.f.auth_c...
I confirm that...I'm sending the SIP PUBLISH from user 101 to user 101, which is currently registered.
My problem is that Kamailio is continuously answering with 407 to the SIP PUBLISH, even if the PUBLISH request has the right Proxy-Authorization header... Digging into the log file, I found this : Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:486]: auth_check(): realm [myhome2.xip.bpt.com] table [subscriber] flags [1] Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]: pre_auth(): auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not found Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:252]: digest_authenticate_hdr(): no credentials
Just for your better understanding I'm doing authorization with db, using subscriber table where there are all the users with 'myhome2.xip.bpt.com' domain... In fact, all INVITEs and REGISTERs are correctly authenticated...
Would you mind address me to find out the problem? Maybe, there's something wrong in my cfg file. Thanks in advance
T,
Tomas Zanet Software Design Department tzanet@came.commailto:tzanet@came.com
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
Tomas Zanet Software Design Department tzanet@came.com [cid:CAME.png]http://www.came.com/ [cid:LogoExpo.png]
[cid:FooterCAME.png]
Il messaggio di posta elettronica contiene informazioni di carattere confidenziale specifiche per il destinatario. Nel caso non ne siate il destinatario, segnalatelo immediatamente al mittente ed eliminate dai vostri archivi quanto ricevuto (compresi i file allegati). L'uso, la diffusione, distribuzione o riproduzione del presente messaggio e dei suoi allegati da parte di ogni altra persona costituisce reato. Rif. Decreto legislativo 30 giugno 2003, n. 196 - Codice in materia di protezione dei dati personali.
The email message contains confidential information specific to the recipient. If you are not the recipient, write it to the sender immediately and delete from your files as received (including file attachments). Use, dissemination, distribution or reproduction of this message and its attachments by any other person is a criminal offense. References Legislative Decree 30 June 2003, n. 196 - Code for the protection of personal data.
Right to opposition: The person concerned who receives the message has the right at any time to oppose its processing for forwarding commercial messages, advertising material or direct sales proposals, by clicking on the e-mail address below (or by traditional postal services by writing to: Came S.p.A., Via Martiri della Libertà 15, 31030 Dosson di Casier (TV) - Italy, or by sending a fax to +39 0422 4941. Furthermore the person concerned may exercise all the rights of access to the personal data as provided by art. 7, Legislative Decree no. 196/2003, including the rights to amendment, updating and deletion, by sending an e-mail to privacy@came.commailto:privacy@came.com.
Hello,
REGISTER should have Authorization header.
Can you paste the headers of such PUBLISH?
The log message you pasted in a previous email shows that the realm was not matching:
Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]: pre_auth(): auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not found
Maybe it is different than From header domain.
Cheers, Daniel
On 28/04/15 09:13, Tomas Zanet wrote:
Hello, yes it is.
The real parameter in Proxy-Authorization header is the same for PUBLISH and REGISTER and INVIATE as well.
I’m doing authentication in this way:
if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; }Thanks,
T.
*Da:*Daniel-Constantin Mierla [mailto:miconda@gmail.com] *Inviato:* lunedì 27 aprile 2015 17:56 *A:* Kamailio (SER) - Users Mailing List; Tomas Zanet *Oggetto:* Re: [SR-Users] publish authentication problem
Hello,
can you check what is the value of the realm parameter in Proxy-Authorization header of PUBLISH? Is it myhome2.xip.bpt.com?
Cheers, Daniel
On 24/04/15 15:31, Tomas Zanet wrote:
Hello everyone, I’ve been working on a project where I would like to implement RFC6035 https://tools.ietf.org/html/rfc6035 Basically, after the end of the call, our SIP UAC sends a SIP PUBLISH to Kamailio where there are some useful information about media quality (packet loss, mos, etc..) This information is stored by Kamailio with sql_query command… To achieve this, I implemented a custom route function inside Kamailio cfg file, which handles PUBLISH request, check vq-rtcpxr body and store that information into a database. Here is a snippet code: # AVPF report route route[AVPF] { if(!is_method("PUBLISH")) return; if (has_body("application/vq-rtcpxr")) { $var(x) = "INSERT INTO quality_reporting_raw(body) VALUES (\"" + $(rb{s.escape.common}) + "\");"; sql_query("cb", "$(var(x))"); …… reply 200 ok and so on…. exit(0) } } Everything works fine (almost fine, because the report is stored twice…) if I do the route(AVPF) before authentication, like this… (main route): # handle AVPF reports route(AVPF); # authentication route(AUTH); Instead if I swap these two functions, doing the authentication before publish processing, I have some problems about publish authentication….not for the other requests (INVITE and REGISTER) As far as I know From, To and Request-URI must match the authentication user, in the PUBLISH REQUEST as described here http://kamailio.org/docs/modules/4.2.x/modules/auth_db.html#auth_db.f.auth_check I confirm that…I’m sending the SIP PUBLISH from user 101 to user 101, which is currently registered. My problem is that Kamailio is continuously answering with 407 to the SIP PUBLISH, even if the PUBLISH request has the right Proxy-Authorization header… Digging into the log file, I found this : Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:486]: auth_check(): realm [myhome2.xip.bpt.com] table [subscriber] flags [1] Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]: pre_auth(): *auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not found* Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:252]: *digest_authenticate_hdr(): no credentials* Just for your better understanding I’m doing authorization with db, using subscriber table where there are all the users with 'myhome2.xip.bpt.com' domain… In fact, all INVITEs and REGISTERs are correctly authenticated… Would you mind address me to find out the problem? Maybe, there’s something wrong in my cfg file. Thanks in advance T,
Hello, yes you are right there's Authentication header in the REGISTER request. I meant realm parameter. Anyway, here is the PUBLISH request:
Request-Line: PUBLISH sip:101@myhome2.xip.bpt.com SIP/2.0 Via: SIP/2.0/TLS 172.23.254.189:58187;branch=z9hG4bK.58aWk31-b;rport From: sip:101@myhome2.xip.bpt.com;tag=cwg1ZGY8e To: sip:101@myhome2.xip.bpt.com ....... Proxy-Authorization: Digest realm="myhome2.xip.bpt.com", nonce="VT5iRFU+YRjzMXdoV+ZGLf9J9FU53SfL", username="101", uri="sip:101@myhome2.xip.bpt.com", response="8a6c4d3dbac00a4bea2e52f420b1f72c"
And this is the subscriber query: mysql> select * from subscriber; +----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+ | id | username | domain | password | email_address | ha1 | ha1b | rpid | +----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+ | 20 | 100 | myhome2.xip.bpt.com | xxx | | .... | ... | NULL | | 22 | 101 | myhome2.xip.bpt.com | xxx | | .... | ... | NULL | | 23 | 102 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 24 | 103 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 25 | 120 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 26 | 104 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 27 | 105 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 28 | 106 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 29 | 107 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 30 | 108 | myhome2.xip.bpt.com | xxx | | .... | ... | NULL | | 31 | 109 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 32 | 110 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 33 | 121 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 34 | 130 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | +----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+
Just for your better understanding, Kamailio is behind NAT (I set adverting address in the listen parameter) and SIP UAC as well. Moreover, there are sending SIP messages using SIP/TLS. Thanks for your help
T.
Tomas Zanet Software Design Department tzanet@came.com CAME S.p.A.
Da: Daniel-Constantin Mierla [mailto:miconda@gmail.com] Inviato: martedì 28 aprile 2015 09:26 A: Tomas Zanet; Kamailio (SER) - Users Mailing List Oggetto: Re: R: [SR-Users] publish authentication problem
Hello,
REGISTER should have Authorization header.
Can you paste the headers of such PUBLISH?
The log message you pasted in a previous email shows that the realm was not matching:
Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]: pre_auth(): auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not found
Maybe it is different than From header domain.
Cheers, Daniel On 28/04/15 09:13, Tomas Zanet wrote: Hello, yes it is. The real parameter in Proxy-Authorization header is the same for PUBLISH and REGISTER and INVIATE as well. I’m doing authentication in this way:
if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; }
Thanks, T.
Da: Daniel-Constantin Mierla [mailto:miconda@gmail.com] Inviato: lunedì 27 aprile 2015 17:56 A: Kamailio (SER) - Users Mailing List; Tomas Zanet Oggetto: Re: [SR-Users] publish authentication problem
Hello,
can you check what is the value of the realm parameter in Proxy-Authorization header of PUBLISH? Is it myhome2.xip.bpt.com?
Cheers, Daniel On 24/04/15 15:31, Tomas Zanet wrote: Hello everyone, I’ve been working on a project where I would like to implement RFC6035 https://tools.ietf.org/html/rfc6035
Basically, after the end of the call, our SIP UAC sends a SIP PUBLISH to Kamailio where there are some useful information about media quality (packet loss, mos, etc..) This information is stored by Kamailio with sql_query command…
To achieve this, I implemented a custom route function inside Kamailio cfg file, which handles PUBLISH request, check vq-rtcpxr body and store that information into a database. Here is a snippet code: # AVPF report route route[AVPF] { if(!is_method("PUBLISH")) return; if (has_body("application/vq-rtcpxr")) { $var(x) = "INSERT INTO quality_reporting_raw(body) VALUES ("" + $(rb{s.escape.common}) + "");"; sql_query("cb", "$(var(x))"); …… reply 200 ok and so on…. exit(0) } }
Everything works fine (almost fine, because the report is stored twice…) if I do the route(AVPF) before authentication, like this…
(main route): # handle AVPF reports route(AVPF);
# authentication route(AUTH);
Instead if I swap these two functions, doing the authentication before publish processing, I have some problems about publish authentication….not for the other requests (INVITE and REGISTER) As far as I know From, To and Request-URI must match the authentication user, in the PUBLISH REQUEST as described here http://kamailio.org/docs/modules/4.2.x/modules/auth_db.html#auth_db.f.auth_c...
I confirm that…I’m sending the SIP PUBLISH from user 101 to user 101, which is currently registered.
My problem is that Kamailio is continuously answering with 407 to the SIP PUBLISH, even if the PUBLISH request has the right Proxy-Authorization header… Digging into the log file, I found this : Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:486]: auth_check(): realm [myhome2.xip.bpt.com] table [subscriber] flags [1] Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]: pre_auth(): auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not found Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:252]: digest_authenticate_hdr(): no credentials
Just for your better understanding I’m doing authorization with db, using subscriber table where there are all the users with 'myhome2.xip.bpt.com' domain… In fact, all INVITEs and REGISTERs are correctly authenticated…
Would you mind address me to find out the problem? Maybe, there’s something wrong in my cfg file. Thanks in advance
T,
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio World Conference, May 27-29, 2015 Berlin, Germany - http://www.kamailioworld.com
Hello,
as you say it is tls, have you taken the trace on client side or on server side? Also, to rule it out -- you don't have any sbc in between, right?
For further troubleshooting, can you add the line:
xlog("Proxy-Authorization header is: $hdr(Proxy-Authorization)\n");
before:
if (!auth_check("$fd", "subscriber", "1")) {
Then set debug=3 and test again. Send the logs for the second processing of the PUBLISH, the one that has credentials in it.
Cheers, Daniel
On 28/04/15 10:32, Tomas Zanet wrote:
Hello, yes you are right there's Authentication header in the REGISTER request. I meant realm parameter. Anyway, here is the PUBLISH request:
Request-Line: PUBLISH sip:101@myhome2.xip.bpt.com SIP/2.0 Via: SIP/2.0/TLS 172.23.254.189:58187;branch=z9hG4bK.58aWk31-b;rport From: sip:101@myhome2.xip.bpt.com;tag=cwg1ZGY8e To: sip:101@myhome2.xip.bpt.com ....... Proxy-Authorization: Digest realm="myhome2.xip.bpt.com", nonce="VT5iRFU+YRjzMXdoV+ZGLf9J9FU53SfL", username="101", uri="sip:101@myhome2.xip.bpt.com", response="8a6c4d3dbac00a4bea2e52f420b1f72c"
And this is the subscriber query: mysql> select * from subscriber; +----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+ | id | username | domain | password | email_address | ha1 | ha1b | rpid | +----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+ | 20 | 100 | myhome2.xip.bpt.com | xxx | | .... | ... | NULL | | 22 | 101 | myhome2.xip.bpt.com | xxx | | .... | ... | NULL | | 23 | 102 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 24 | 103 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 25 | 120 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 26 | 104 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 27 | 105 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 28 | 106 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 29 | 107 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 30 | 108 | myhome2.xip.bpt.com | xxx | | .... | ... | NULL | | 31 | 109 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 32 | 110 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 33 | 121 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | | 34 | 130 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL | +----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+
Just for your better understanding, Kamailio is behind NAT (I set adverting address in the listen parameter) and SIP UAC as well. Moreover, there are sending SIP messages using SIP/TLS. Thanks for your help
T.
Tomas Zanet Software Design Department tzanet@came.com CAME S.p.A.
Da: Daniel-Constantin Mierla [mailto:miconda@gmail.com] Inviato: martedì 28 aprile 2015 09:26 A: Tomas Zanet; Kamailio (SER) - Users Mailing List Oggetto: Re: R: [SR-Users] publish authentication problem
Hello,
REGISTER should have Authorization header.
Can you paste the headers of such PUBLISH?
The log message you pasted in a previous email shows that the realm was not matching:
Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]: pre_auth(): auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not found
Maybe it is different than From header domain.
Cheers, Daniel On 28/04/15 09:13, Tomas Zanet wrote: Hello, yes it is. The real parameter in Proxy-Authorization header is the same for PUBLISH and REGISTER and INVIATE as well. I’m doing authentication in this way:
if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; }Thanks, T.
Da: Daniel-Constantin Mierla [mailto:miconda@gmail.com] Inviato: lunedì 27 aprile 2015 17:56 A: Kamailio (SER) - Users Mailing List; Tomas Zanet Oggetto: Re: [SR-Users] publish authentication problem
Hello,
can you check what is the value of the realm parameter in Proxy-Authorization header of PUBLISH? Is it myhome2.xip.bpt.com?
Cheers, Daniel On 24/04/15 15:31, Tomas Zanet wrote: Hello everyone, I’ve been working on a project where I would like to implement RFC6035 https://tools.ietf.org/html/rfc6035
Basically, after the end of the call, our SIP UAC sends a SIP PUBLISH to Kamailio where there are some useful information about media quality (packet loss, mos, etc..) This information is stored by Kamailio with sql_query command…
To achieve this, I implemented a custom route function inside Kamailio cfg file, which handles PUBLISH request, check vq-rtcpxr body and store that information into a database. Here is a snippet code: # AVPF report route route[AVPF] { if(!is_method("PUBLISH")) return; if (has_body("application/vq-rtcpxr")) { $var(x) = "INSERT INTO quality_reporting_raw(body) VALUES ("" + $(rb{s.escape.common}) + "");"; sql_query("cb", "$(var(x))"); …… reply 200 ok and so on…. exit(0) } }
Everything works fine (almost fine, because the report is stored twice…) if I do the route(AVPF) before authentication, like this…
(main route): # handle AVPF reports route(AVPF);
# authentication route(AUTH);Instead if I swap these two functions, doing the authentication before publish processing, I have some problems about publish authentication….not for the other requests (INVITE and REGISTER) As far as I know From, To and Request-URI must match the authentication user, in the PUBLISH REQUEST as described here http://kamailio.org/docs/modules/4.2.x/modules/auth_db.html#auth_db.f.auth_c...
I confirm that…I’m sending the SIP PUBLISH from user 101 to user 101, which is currently registered.
My problem is that Kamailio is continuously answering with 407 to the SIP PUBLISH, even if the PUBLISH request has the right Proxy-Authorization header… Digging into the log file, I found this : Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:486]: auth_check(): realm [myhome2.xip.bpt.com] table [subscriber] flags [1] Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]: pre_auth(): auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not found Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:252]: digest_authenticate_hdr(): no credentials
Just for your better understanding I’m doing authorization with db, using subscriber table where there are all the users with 'myhome2.xip.bpt.com' domain… In fact, all INVITEs and REGISTERs are correctly authenticated…
Would you mind address me to find out the problem? Maybe, there’s something wrong in my cfg file. Thanks in advance
T,
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio World Conference, May 27-29, 2015 Berlin, Germany - http://www.kamailioworld.com
-
Daniel-Constantin Mierla -
Tomas Zanet