Hi,
Thanks for the reply! I did however just get 407 instead of 401.
But...I found the fault! :-)
In for example the client program X-Lite you specify 'Domain/Realm' in the menu
(i.e. one field), were I've specified the SIP servers IP address. But when the user
was created (with serctl) the SIP_DOMAIN variable was set to something else. So when I
deleted the user, sat the variable to the servers IP address and recreated the user, the
auth register msg went thru.
Regards,
//Magnus
-----Original Message-----
From: innovation.interops(a)wipro.com [mailto:innovation.interops@wipro.com]
Sent: den 3 januari 2005 08:16
To: Magnus Sörman (AL/EAB); serusers(a)lists.iptel.org
Subject: RE: [Serusers] Digest Authentication
Hello,
Try these inclusions pls for a simple straight forward Digest Auth...
modparam("auth_db",
"db_url","sql://ser:heslo@localhost/ser")
# main routing logic
route{
if(!proxy_authorize("yourdomain.com" /* realm */,
"subscriber" /* table name */ ))
{
proxy_challenge("yourdomain.com", "0");
break;
}
sl_send_reply("200", "ok");
karthikeyan.k
_____
From: serusers-bounces(a)lists.iptel.org on behalf of Magnus Sörman (AL/EAB)
Sent: Thu 12/30/2004 3:45 PM
To: 'serusers(a)lists.iptel.org'
Subject: [Serusers] Digest Authentication
Hi,
I need some help with digest authentication.
When I uncomment those lines in ser.cfg, the register msg stops to work. In the trace, see
below, you can see the nonce being sent in the re-register msg, but the server still
responds with 401 Unauthorized. I've tried with both 0 and 1 in the www_challenge.
Without the digest authentication the register works fine.
Thanks in advance,
//Magnus
ser.cfg (ser 0.8.12 running on a Fedora box. Used for test purpose only):
====================================================
# ----------- global configuration parameters ------------------------
#debug=3 # debug level (cmd line: -dddddddddd)
#fork=yes
#log_stderror=no # (cmd line: -E)
/* Uncomment these lines to enter debugging mode
debug=7
fork=no
log_stderror=yes
*/
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
#port=5060
#children=4
fifo="/tmp/ser_fifo"
sip_warning=no
alias="sip_server_ip"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/lib/ser/modules/mysql.so"
loadmodule "/usr/lib/ser/modules/sl.so"
loadmodule "/usr/lib/ser/modules/tm.so"
loadmodule "/usr/lib/ser/modules/rr.so"
loadmodule "/usr/lib/ser/modules/maxfwd.so"
loadmodule "/usr/lib/ser/modules/usrloc.so"
loadmodule "/usr/lib/ser/modules/registrar.so"
loadmodule "/usr/lib/ser/modules/pa.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/lib/ser/modules/auth.so"
loadmodule "/usr/lib/ser/modules/auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if ( msg:len > max_len ) {
sl_send_reply("513", "Message too big");
break;
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
record_route();
# loose-route processing
if (loose_route()) {
t_relay();
break;
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri == myself ) {
if (method=="SUBSCRIBE") {
if(t_newtran()){
handle_subscription("registrar");
break;
};
};
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication
if (!www_authorize("sip_server_ip",
"subscriber")) {
www_challenge("sip_server_ip", "1");
break;
};
save("location");
break;
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
};
# forward to current uri now; use stateful forwarding; that
# works reliably even if we forward from TCP to UDP
if (!t_relay()) {
sl_reply_error();
};
}
Register trace:
==========
REGISTER sip:sip_server_ip SIP/2.0
Via: SIP/2.0/UDP local_pc_ip:5060;rport;branch=z9hG4bK4268DFDFE5EE410C8DB113A6223C800C
From: Magnus <sip:magnus@sip_server_ip>;tag=470300110
To: Magnus <sip:magnus@sip_server_ip>
Contact: "Magnus" <sip:magnus@local_pc_ip:5060>
Call-ID: EB7272E371C24F6C8F24DB47A53EE7CB@sip_server_ip
CSeq: 6590 REGISTER
Expires: 1800
Max-Forwards: 70
User-Agent: X-Lite release 1103m
Content-Length: 0
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
local_pc_ip:5060;rport=5060;branch=z9hG4bK4268DFDFE5EE410C8DB113A6223C800C
From: Magnus <sip:magnus@sip_server_ip>;tag=470300110
To: Magnus <sip:magnus@sip_server_ip>;tag=b27e1a1d33761e85846fc98f5f3a7e58.0d0e
Call-ID: EB7272E371C24F6C8F24DB47A53EE7CB@sip_server_ip
CSeq: 6590 REGISTER
WWW-Authenticate: Digest realm="sip_server_ip",
nonce="41d1321431d402c1af9617eb73deccbce7e532d5", qop="auth"
Server: Sip EXpress router (0.8.12 (i386/linux))
Content-Length: 0
REGISTER sip:sip_server_ip SIP/2.0
Via: SIP/2.0/UDP local_pc_ip:5060;rport;branch=z9hG4bK1813C486770C442BB51E58686A61921F
From: Magnus <sip:magnus@sip_server_ip>;tag=470300110
To: Magnus <sip:magnus@sip_server_ip>
Contact: "Magnus" <sip:magnus@local_pc_ip:5060>
Call-ID: EB7272E371C24F6C8F24DB47A53EE7CB@sip_server_ip
CSeq: 6591 REGISTER
Expires: 1800
Authorization: Digest
username="magnus",realm="sip_server_ip",nonce="41d1321431d402c1af9617eb73deccbce7e532d5",response="27ea80aed1b9f5086b396c8f86bcec60",uri="sip:sip_server_ip",qop=auth,cnonce="9F5BBA98D6724D909C6560E8A045A300",nc=00000006
Max-Forwards: 70
User-Agent: X-Lite release 1103m
Content-Length: 0
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
local_pc_ip:5060;rport=5060;branch=z9hG4bK1813C486770C442BB51E58686A61921F
From: Magnus <sip:magnus@sip_server_ip>;tag=470300110
To: Magnus <sip:magnus@sip_server_ip>;tag=b27e1a1d33761e85846fc98f5f3a7e58.9cf2
Call-ID: EB7272E371C24F6C8F24DB47A53EE7CB@sip_server_ip
CSeq: 6591 REGISTER
WWW-Authenticate: Digest realm="sip_server_ip",
nonce="41d1321431d402c1af9617eb73deccbce7e532d5", qop="auth"
Server: Sip EXpress router (0.8.12 (i386/linux))
Content-Length: 0
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
<http://lists.iptel.org/mailman/listinfo/serusers>
Confidentiality Notice
The information contained in this electronic message and any attachments to this message
are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged
information. If
you are not the intended recipient, please notify the sender at Wipro or
Mailadmin(a)wipro.com immediately
and destroy all copies of this message and any attachments.