Hello,
we have a problem with the SIP trunk of an Aastra Intelligate PBX.
Registration fails with the SER error message "pre_auth(): Credentials received are not filled properly". SER is 0.8.14.
See ngrep:
# U 2005/02/15 11:40:46.093312 aastra_intelligate:5060 -> toplink_proxy:5060 REGISTER sip:toplink-voice.de SIP/2.0. Via: SIP/2.0/UDP aastra_intelligate:5060;branch=fc15d6ace7866108222849a9dd6303d8. To: usernamesip:username@toplink-voice.de:5060. From: usernamesip:username@toplink-voice.de:5060;tag=f52ad23f5a30a9cd. Call-ID: 182a55ff8fb00e0d31a6f7cb9b8c22b9@aastra_intelligate. CSeq: 2289 REGISTER. Max-Forwards: 70. Expires: 3000. Contact: sip:username@aastra_intelligate. Allow: ACK,BYE,CANCEL,INVITE. User-Agent: Aastra Intelligate. Content-Length: 0. .
# U 2005/02/15 11:40:46.093883 toplink_proxy:5060 -> aastra_intelligate:5060 SIP/2.0 401 Unauthorized. Via: SIP/2.0/UDP aastra_intelligate:5060;branch=fc15d6ace7866108222849a9dd6303d8. To: usernamesip:username@toplink-voice.de:5060;tag=16ac3fc2258766c821c391b58b08db64.9f29. From: usernamesip:username@toplink-voice.de:5060;tag=f52ad23f5a30a9cd. Call-ID: 182a55ff8fb00e0d31a6f7cb9b8c22b9@aastra_intelligate. CSeq: 2289 REGISTER. WWW-Authenticate: Digest realm="toplink-voice.de", nonce="4211d2da1728b0bd58773cf042217a138e8508ca", qop="auth". Content-Length: 0. .
# U 2005/02/15 11:40:46.321069 aastra_intelligate:5060 -> toplink_proxy:5060 REGISTER sip:toplink-voice.de SIP/2.0. Via: SIP/2.0/UDP aastra_intelligate:5060;branch=c46c24632f85f6b001dca195835600a4. To: usernamesip:username@toplink-voice.de:5060. From: usernamesip:username@toplink-voice.de:5060;tag=f52ad23f5a30a9cd. Call-ID: 182a55ff8fb00e0d31a6f7cb9b8c22b9@aastra_intelligate. CSeq: 2290 REGISTER. Max-Forwards: 70. Expires: 3000. Contact: sip:username@aastra_intelligate. Allow: ACK,BYE,CANCEL,INVITE. Authorization: Digest nc=00000001,nonce="4211d2da1728b0bd58773cf042217a138e8508ca",qop=auth,realm="toplink-voice.de",response="62989172348871cf1fd92b4bc9bc3be2",uri="sip:toplink-voice.de",username="username". User-Agent: Aastra Intelligate. Content-Length: 0. .
# U 2005/02/15 11:40:46.321559 toplink_proxy:5060 -> aastra_intelligate:5060 SIP/2.0 400 Bad Request. Via: SIP/2.0/UDP aastra_intelligate:5060;branch=c46c24632f85f6b001dca195835600a4. To: usernamesip:username@toplink-voice.de:5060;tag=16ac3fc2258766c821c391b58b08db64.f64f. From: usernamesip:username@toplink-voice.de:5060;tag=f52ad23f5a30a9cd. Call-ID: 182a55ff8fb00e0d31a6f7cb9b8c22b9@aastra_intelligate. CSeq: 2290 REGISTER. Content-Length: 0.
When I take a look at the Authorization Header of the PBX:
Authorization: Digest nc=00000001, nonce="4211d2da1728b0bd58773cf042217a138e8508ca", qop=auth, realm="toplink-voice.de", response="62989172348871cf1fd92b4bc9bc3be2", uri="sip:toplink-voice.de", username="username"
It is obvious that the cnonce is missing.
According to RFC2617 it should be present, right?
Quote RFC2617: "cnonce This MUST be specified if a qop directive is sent (see above), and MUST NOT be specified if the server did not send a qop directive in the WWW-Authenticate header field. The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, to provide mutual authentication, and to provide some message integrity protection. See the descriptions below of the calculation of the response- digest and request-digest values."
Could anyone please verify this? Testing with the SIPgate.de SER proxy, registration works. How is this possible if PBX is not sending RFC2617 compilant Authorization headers?
With best regards, Martin Koenig
Hi Martin,
Indeed, accordingly to the RFC, the cnonce and nc are required when qop is used. It looks like a bug in PBX. You can try to get over it by disabling "qop" in SER authentication.
Best regards, Marian
Martin Koenig wrote:
Hello,
we have a problem with the SIP trunk of an Aastra Intelligate PBX.
Registration fails with the SER error message "pre_auth(): Credentials received are not filled properly". SER is 0.8.14.
See ngrep:
# U 2005/02/15 11:40:46.093312 aastra_intelligate:5060 -> toplink_proxy:5060 REGISTER sip:toplink-voice.de SIP/2.0. Via: SIP/2.0/UDP aastra_intelligate:5060;branch=fc15d6ace7866108222849a9dd6303d8. To: usernamesip:username@toplink-voice.de:5060. From: usernamesip:username@toplink-voice.de:5060;tag=f52ad23f5a30a9cd. Call-ID: 182a55ff8fb00e0d31a6f7cb9b8c22b9@aastra_intelligate. CSeq: 2289 REGISTER. Max-Forwards: 70. Expires: 3000. Contact: sip:username@aastra_intelligate. Allow: ACK,BYE,CANCEL,INVITE. User-Agent: Aastra Intelligate. Content-Length: 0. .
# U 2005/02/15 11:40:46.093883 toplink_proxy:5060 -> aastra_intelligate:5060 SIP/2.0 401 Unauthorized. Via: SIP/2.0/UDP aastra_intelligate:5060;branch=fc15d6ace7866108222849a9dd6303d8. To: usernamesip:username@toplink-voice.de:5060;tag=16ac3fc2258766c821c391b58b08db64.9f29.
From: usernamesip:username@toplink-voice.de:5060;tag=f52ad23f5a30a9cd. Call-ID: 182a55ff8fb00e0d31a6f7cb9b8c22b9@aastra_intelligate. CSeq: 2289 REGISTER. WWW-Authenticate: Digest realm="toplink-voice.de", nonce="4211d2da1728b0bd58773cf042217a138e8508ca", qop="auth". Content-Length: 0. .
# U 2005/02/15 11:40:46.321069 aastra_intelligate:5060 -> toplink_proxy:5060 REGISTER sip:toplink-voice.de SIP/2.0. Via: SIP/2.0/UDP aastra_intelligate:5060;branch=c46c24632f85f6b001dca195835600a4. To: usernamesip:username@toplink-voice.de:5060. From: usernamesip:username@toplink-voice.de:5060;tag=f52ad23f5a30a9cd. Call-ID: 182a55ff8fb00e0d31a6f7cb9b8c22b9@aastra_intelligate. CSeq: 2290 REGISTER. Max-Forwards: 70. Expires: 3000. Contact: sip:username@aastra_intelligate. Allow: ACK,BYE,CANCEL,INVITE. Authorization: Digest nc=00000001,nonce="4211d2da1728b0bd58773cf042217a138e8508ca",qop=auth,realm="toplink-voice.de",response="62989172348871cf1fd92b4bc9bc3be2",uri="sip:toplink-voice.de",username="username".
User-Agent: Aastra Intelligate. Content-Length: 0. .
# U 2005/02/15 11:40:46.321559 toplink_proxy:5060 -> aastra_intelligate:5060 SIP/2.0 400 Bad Request. Via: SIP/2.0/UDP aastra_intelligate:5060;branch=c46c24632f85f6b001dca195835600a4. To: usernamesip:username@toplink-voice.de:5060;tag=16ac3fc2258766c821c391b58b08db64.f64f.
From: usernamesip:username@toplink-voice.de:5060;tag=f52ad23f5a30a9cd. Call-ID: 182a55ff8fb00e0d31a6f7cb9b8c22b9@aastra_intelligate. CSeq: 2290 REGISTER. Content-Length: 0.
When I take a look at the Authorization Header of the PBX:
Authorization: Digest nc=00000001, nonce="4211d2da1728b0bd58773cf042217a138e8508ca", qop=auth, realm="toplink-voice.de", response="62989172348871cf1fd92b4bc9bc3be2", uri="sip:toplink-voice.de", username="username"
It is obvious that the cnonce is missing.
According to RFC2617 it should be present, right?
Quote RFC2617: "cnonce This MUST be specified if a qop directive is sent (see above), and MUST NOT be specified if the server did not send a qop directive in the WWW-Authenticate header field. The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, to provide mutual authentication, and to provide some message integrity protection. See the descriptions below of the calculation of the response- digest and request-digest values."
Could anyone please verify this? Testing with the SIPgate.de SER proxy, registration works. How is this possible if PBX is not sending RFC2617 compilant Authorization headers?
With best regards, Martin Koenig
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
Marian Dumitru -
Martin Koenig