Hello!
Kamailio 5.7.6
Debian 10.12
Here is my authentication route:
``` route[AUTH] { if (is_method("REGISTER") || from_uri==myself) { if (!auth_check("$fd", "subscriber", "0")) { auth_challenge("$fd", "2"); # flag not 0 exit; } # user authenticated - remove auth header if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } ... } ```
start eyebeam Version 1.5.14.4
``` eyebeam --->REGISTER ----> kamailio <--401 (WWW-Authenticate: Digest realm="192.168.3.10", nonce=..., qop="auth-int") --->REGISTER (Authorization: Digest username="08001",realm="192.168.3.10",nonce=...,uri=...,response=...,cnonce=...,nc=00000001,qop=auth-int,algorithm=MD5) <--401 (auth_challenge() return -2 ) ```
OpenSIPS 3.4.12 register to kamailio, got the same result as eyebeam
Any suggestions?
Thanks!
Hello,
I might have misunderstood it, but what is your actual question?
Cheers,
Henning
-----Original Message----- From: 13715209697--- via sr-users sr-users@lists.kamailio.org Sent: Freitag, 25. April 2025 05:39 To: sr-users@lists.kamailio.org Cc: 13715209697@139.com Subject: [SR-Users] Authentication qop auth-int
Hello!
Kamailio 5.7.6
Debian 10.12
Here is my authentication route:
route[AUTH] { if (is_method("REGISTER") || from_uri==myself) { if (!auth_check("$fd", "subscriber", "0")) { auth_challenge("$fd", "2"); # flag not 0 exit; } # user authenticated - remove auth header if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } ... }start eyebeam Version 1.5.14.4
eyebeam --->REGISTER ----> kamailio <--401 (WWW-Authenticate: Digest realm="192.168.3.10", nonce=..., qop="auth-int") --->REGISTER (Authorization: Digest username="08001",realm="192.168.3.10",nonce=...,uri=...,response=...,cno nce=...,nc=00000001,qop=auth-int,algorithm=MD5) <--401 (auth_challenge() return -2 ) ``` OpenSIPS 3.4.12 register to kamailio, got the same result as eyebeam Any suggestions? Thanks! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr- users@lists.kamailio.org To unsubscribe send an email to sr-users- leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
There is a project that requires auth_int,OpenSIPS and Kamailio handle auth_int differently, which confuses me.
Kamalio support for auth-int (and all md5-sess too) is likely to be broken. I've fixed quite few bugs originating from 2005 era in the scope of the RFC8760 Interop prep that we've done for OpenSIPIt few years ago. To the best of my knowledge none has been pulled back into Kamalio and when confronting Daniel about RFC8760 year or two ago he was not particularly interested.
Your best recourse therefore is disable auth-int on the OpenSIPS side while dealing with Kamalio.
-Max
On Sat, Apr 26, 2025, 3:52 AM 13715209697--- via sr-users < sr-users@lists.kamailio.org> wrote:
There is a project that requires auth_int,OpenSIPS and Kamailio handle auth_int differently, which confuses me. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
Hello,
there was no ticket, it was only discussed on the list.
If there is an issue in the way Kamailio handles the authentication in "auth-int" mode regarding the RFC standards, please share more information that it could be possible be fixed.
Cheers,
Henning
-----Original Message----- From: 13715209697--- via sr-users sr-users@lists.kamailio.org Sent: Sonntag, 27. April 2025 03:34 To: sr-users@lists.kamailio.org Cc: 13715209697@139.com Subject: [SR-Users] Re: Authentication qop auth-int
THank Maxim Sobolev!
Thank Henning Westerholt!
pls close this ticket __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr- users@lists.kamailio.org To unsubscribe send an email to sr-users- leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
Hello Maxim,
thanks for the context. Regarding RFC 8760 interoperability, there have been also recently some extensions to the module to configure the SHA256 on a per-message base, I think.
The auth module in Kamailio is based on the one from SER which supported additional security protection mechanism, so it’s not that closely related to the code base used in the other project.
Due to the mentioned differences in the module implementation, it’s not feasible to import the code changes done there right away. But of course, we are always open for fixes e.g. as a pull request.
Cheers,
Henning
From: Maxim Sobolev via sr-users sr-users@lists.kamailio.org Sent: Samstag, 26. April 2025 21:33 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: 13715209697@139.com; Maxim Sobolev sobomax@sippysoft.com Subject: [SR-Users] Re: Authentication qop auth-int
Kamalio support for auth-int (and all md5-sess too) is likely to be broken. I've fixed quite few bugs originating from 2005 era in the scope of the RFC8760 Interop prep that we've done for OpenSIPIt few years ago. To the best of my knowledge none has been pulled back into Kamalio and when confronting Daniel about RFC8760 year or two ago he was not particularly interested.
Your best recourse therefore is disable auth-int on the OpenSIPS side while dealing with Kamalio.
-Max
On Sat, Apr 26, 2025, 3:52 AM 13715209697--- via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> wrote: There is a project that requires auth_int,OpenSIPS and Kamailio handle auth_int differently, which confuses me. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
I agree with Maxim Sobole.
I recently had a project that used Freeswitch and Kamailio.
loadmodule ims_registrar_pcscf .so loadmodule ims_auth.so modparam(ims_auth, "registration_qop”, “auth,auth-int”)
... freeswitch REGISTER qop=auth,auth-int REGSTER qop=auth-int 401 ...
I will modify the FreeSWITCH source code to disable auth-int.
You seem to use the ims authentication module, this one does not implement the www-digest authentication, but the AKA variant, which I don't think freeswitch implement. You would need an IMS phone for AKA authentication.
Cheers, Daniel
On 27.04.25 12:43, 13715209697--- via sr-users wrote:
I agree with Maxim Sobole.
I recently had a project that used Freeswitch and Kamailio.
loadmodule ims_registrar_pcscf .so loadmodule ims_auth.so modparam(ims_auth, "registration_qop”, “auth,auth-int”)
... freeswitch REGISTER qop=auth,auth-int REGSTER qop=auth-int 401 ...
I will modify the FreeSWITCH source code to disable auth-int. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
-
13715209697@139.com -
Daniel-Constantin Mierla -
Henning Westerholt -
Maxim Sobolev