[Serusers] authentication problem

Jan Janak jan at iptel.org
Tue Nov 9 16:48:45 CET 2004


The 2nd authentication request comes from Asterisk. It also uses the
same digest realm ("asterisk") which is wrong, asterisk and ser should
use different digest realms.

Also note that only few user agents would support multiple digest
credentials in a single SIP message (for SER and asterisk). The solution
would be to disable authentication in one of them.

  Jan.

On 09-11 16:40, Martin Bangiev wrote:
> Yes that's what it says - but it's not
> here is the whole log for the session
> 
> 0(18510) SIP Request:
> 0(18510)  method:  <INVITE>
> 0(18510)  uri:     <sip:666 at 10.3.3.7>
> 0(18510)  version: <SIP/2.0>
> 0(18510) parse_headers: flags=1
> 0(18510) Found param type 232, <branch> = <z9hG4bK5a8b19762ff03932>; 
> state=16
> 0(18510) end of header reached, state=5
> 0(18510) parse_headers: Via found, flags=1
> 0(18510) parse_headers: this is the first via
> 0(18510) After parse_msg...
> 0(18510) preparing to run routing scripts...
> 0(18510) parse_headers: flags=16384
> 0(18510) end of header reached, state=9
> 0(18510) DEBUG: get_hdr_field: <To> [20]; uri=[sip:666 at 10.3.3.7]
> 0(18510) DEBUG: to body [<sip:666 at 10.3.3.7>
> ]
> 0(18510) get_hdr_field: cseq <CSeq>: <52160> <INVITE>
> 0(18510) DEBUG: get_hdr_body : content_length=169
> 0(18510) found end of header
> 0(18510) pre_auth(): Credentials with given realm not found
> 0(18510) build_auth_hf(): 'Proxy-Authenticate: Digest realm="asterisk", 
> nonce="4190d804c51f55efc7af5db65b7b1d2539cadbb6"
> '
> 0(18510) parse_headers: flags=-1
> 0(18510) check_via_address(10.10.0.13, 10.10.0.13, 0)
> 0(18510) DEBUG:destroy_avp_list: destroing list (nil)
> 0(18510) receive_msg: cleaning up
> 0(18510) SIP Request:
> 0(18510)  method:  <ACK>
> 0(18510)  uri:     <sip:666 at 10.3.3.7>
> 0(18510)  version: <SIP/2.0>
> 0(18510) parse_headers: flags=1
> 0(18510) Found param type 232, <branch> = <z9hG4bK5a8b19762ff03932>; 
> state=16
> 0(18510) end of header reached, state=5
> 0(18510) parse_headers: Via found, flags=1
> 0(18510) parse_headers: this is the first via
> 0(18510) After parse_msg...
> 0(18510) preparing to run routing scripts...
> 0(18510) parse_headers: flags=4
> 0(18510) DEBUG: add_param: tag=89f3a2e99dcf9447240c5dd5d06c7672.c886
> 0(18510) end of header reached, state=29
> 0(18510) DEBUG: get_hdr_field: <To> [62]; uri=[sip:666 at 10.3.3.7]
> 0(18510) DEBUG: to body [<sip:666 at 10.3.3.7>]
> 0(18510) DEBUG: sl_filter_ACK : local ACK found -> dropping it!
> 0(18510) DEBUG:destroy_avp_list: destroing list (nil)
> 0(18510) receive_msg: cleaning up
> 0(18510) SIP Request:
> 0(18510)  method:  <INVITE>
> 0(18510)  uri:     <sip:666 at 10.3.3.7>
> 0(18510)  version: <SIP/2.0>
> 0(18510) parse_headers: flags=1
> 0(18510) Found param type 232, <branch> = <z9hG4bK1d7e814619765104>; 
> state=16
> 0(18510) end of header reached, state=5
> 0(18510) parse_headers: Via found, flags=1
> 0(18510) parse_headers: this is the first via
> 0(18510) After parse_msg...
> 0(18510) preparing to run routing scripts...
> 0(18510) parse_headers: flags=16384
> 0(18510) end of header reached, state=9
> 0(18510) DEBUG: get_hdr_field: <To> [20]; uri=[sip:666 at 10.3.3.7]
> 0(18510) DEBUG: to body [<sip:666 at 10.3.3.7>
> ]
> 0(18510) check_nonce(): comparing 
> [4190d804c51f55efc7af5db65b7b1d2539cadbb6] and 
> [4190d804c51f55efc7af5db65b7b1d2539cadbb6]
> 0(18510) query="select password from subscriber where 
> username='bangieff' AND domain='asterisk'"
> 0(18510) HA1 string calculated: fe6a6d50bebb95056a4a4cd70c12bf8d
> 0(18510) check_response(): Our result = 'edab854b21ebc3308185694bcf441641'
> 0(18510) check_response(): Authorization is OK
> 0(18510) save_rpid(): rpid value is ''
> 0(18510) check_via_address(10.10.0.13, 10.10.0.13, 0)
> 0(18510) Sending:
> INVITE sip:666 at 10.3.3.7 SIP/2.0
> Via: SIP/2.0/UDP 10.3.3.7;branch=0
> Via: SIP/2.0/UDP 10.10.0.13;branch=z9hG4bK1d7e814619765104
> From: "Bangieff testing" <sip:bangieff at 10.3.3.7>;tag=fd9a2b996ea63547
> To: <sip:666 at 10.3.3.7>
> Contact: <sip:bangieff at 10.10.0.13>
> Proxy-Authorization: DIGEST username="bangieff", realm="asterisk", 
> algorithm=MD5, uri="sip:666 at 10.3.3.7", 
> nonce="4190d804c51f55efc7af5db65b7b1d2539cadbb6", 
> response="edab854b21ebc3308185694bcf441641"
> Call-ID: 3ec72f37e210ae30 at 10.10.0.13
> CSeq: 52161 INVITE
> User-Agent: Grandstream BT100 1.0.4.54
> Max-Forwards: 70
> Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE
> Content-Type: application/sdp
> Content-Length: 169
> 
> v=0
> o=bangieff 8000 8000 IN IP4 10.10.0.13
> s=SIP Call
> c=IN IP4 10.10.0.13
> t=0 0
> m=audio 5004 RTP/AVP 18 8
> a=rtpmap:18 G729/8000
> a=rtpmap:8 PCMA/8000
> a=ptime:20
> .
> 0(18510) orig. len=830, new_len=866, proto=1
> 0(18510) DEBUG:destroy_avp_list: destroing list (nil)
> 0(18510) receive_msg: cleaning up
> 0(18510) SIP Reply  (status):
> 0(18510)  version: <SIP/2.0>
> 0(18510)  status:  <407>
> 0(18510)  reason:  <Proxy Authentication Required>
> 0(18510) parse_headers: flags=1
> 0(18510) Found param type 232, <branch> = <0>; state=16
> 0(18510) end of header reached, state=5
> 0(18510) parse_headers: Via found, flags=1
> 0(18510) parse_headers: this is the first via
> 0(18510) After parse_msg...
> 0(18510) forward_reply: found module tm, passing reply to it
> 0(18510) DEBUG: t_check: msg id=4 global id=0 T start=0xffffffff
> 0(18510) parse_headers: flags=17
> 0(18510) Found param type 232, <branch> = <z9hG4bK1d7e814619765104>; 
> state=16
> 0(18510) end of header reached, state=5
> 0(18510) parse_headers: Via found, flags=17
> 0(18510) parse_headers: this is the second via
> 0(18510) DEBUG: add_param: tag=as4540c185
> 0(18510) end of header reached, state=29
> 0(18510) DEBUG: get_hdr_field: <To> [35]; uri=[sip:666 at 10.3.3.7]
> 0(18510) DEBUG: to body [<sip:666 at 10.3.3.7>]
> 0(18510) get_hdr_field: cseq <CSeq>: <52161> <INVITE>
> 0(18510) parse_headers: flags=4
> 0(18510) DEBUG: t_reply_matching: failure to match a transaction
> 0(18510) DEBUG: t_check: msg id=4 global id=4 T end=(nil)
> 0(18510) parse_headers: flags=2
> 0(18510)  old size: 500, new size: 464
> 0(18510) build_res_from_sip_res: copied size: orig:79, new: 43, rest: 
> 421 msg=
> SIP/2.0 407 Proxy Authentication Required
> Via: SIP/2.0/UDP 10.10.0.13;branch=z9hG4bK1d7e814619765104
> From: "Bangieff testing" <sip:bangieff at 10.3.3.7>;tag=fd9a2b996ea63547
> To: <sip:666 at 10.3.3.7>;tag=as4540c185
> Call-ID: 3ec72f37e210ae30 at 10.10.0.13
> CSeq: 52161 INVITE
> User-Agent: Asterisk PBX
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
> Contact: <sip:666 at 10.3.3.7:5061>
> Proxy-Authenticate: Digest realm="asterisk", nonce="2c53d86c"
> Content-Length: 0
> 
> 
> 0(18510) update_sock_struct_from_via: using via host
> 0(18510) update_sock_struct_from_via: trying SRV lookup
> 0(18510)  reply forwarded to 10.10.0.13:0
> 0(18510) DEBUG:destroy_avp_list: destroing list (nil)
> 0(18510) receive_msg: cleaning up
> 0(18510) SIP Request:
> 0(18510)  method:  <ACK>
> 0(18510)  uri:     <sip:666 at 10.3.3.7>
> 0(18510)  version: <SIP/2.0>
> 0(18510) parse_headers: flags=1
> 0(18510) Found param type 232, <branch> = <z9hG4bK1d7e814619765104>; 
> state=16
> 0(18510) end of header reached, state=5
> 0(18510) parse_headers: Via found, flags=1
> 0(18510) parse_headers: this is the first via
> 0(18510) After parse_msg...
> 0(18510) preparing to run routing scripts...
> 0(18510) parse_headers: flags=4
> 0(18510) DEBUG: add_param: tag=as4540c185
> 0(18510) end of header reached, state=29
> 0(18510) DEBUG: get_hdr_field: <To> [35]; uri=[sip:666 at 10.3.3.7]
> 0(18510) DEBUG: to body [<sip:666 at 10.3.3.7>]
> 0(18510) check_via_address(10.10.0.13, 10.10.0.13, 0)
> 0(18510) Sending:
> ACK sip:666 at 10.3.3.7 SIP/2.0
> Via: SIP/2.0/UDP 10.3.3.7;branch=0
> Via: SIP/2.0/UDP 10.10.0.13;branch=z9hG4bK1d7e814619765104
> From: "Bangieff testing" <sip:bangieff at 10.3.3.7>;tag=fd9a2b996ea63547
> To: <sip:666 at 10.3.3.7>;tag=as4540c185
> Contact: <sip:bangieff at 10.10.0.13>
> Proxy-Authorization: DIGEST username="bangieff", realm="asterisk", 
> algorithm=MD5, uri="sip:666 at 10.3.3.7", 
> nonce="4190d804c51f55efc7af5db65b7b1d2539cadbb6", 
> response="b56d7b82e7c8b44f13abf5a8352d32f5"
> Call-ID: 3ec72f37e210ae30 at 10.10.0.13
> CSeq: 52161 ACK
> User-Agent: Grandstream BT100 1.0.4.54
> Max-Forwards: 70
> Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE
> Content-Length: 0
> 
> .
> 0(18510) orig. len=637, new_len=673, proto=1
> 0(18510) DEBUG:destroy_avp_list: destroing list (nil)
> 0(18510) receive_msg: cleaning up
> 0(18510) SIP Request:
> 0(18510)  method:  <INVITE>
> 0(18510)  uri:     <sip:666 at 10.3.3.7>
> 0(18510)  version: <SIP/2.0>
> 0(18510) parse_headers: flags=1
> 0(18510) Found param type 232, <branch> = <z9hG4bK39325a8b2b992ff0>; 
> state=16
> 0(18510) end of header reached, state=5
> 0(18510) parse_headers: Via found, flags=1
> 0(18510) parse_headers: this is the first via
> 0(18510) After parse_msg...
> 0(18510) preparing to run routing scripts...
> 0(18510) parse_headers: flags=16384
> 0(18510) end of header reached, state=9
> 0(18510) DEBUG: get_hdr_field: <To> [20]; uri=[sip:666 at 10.3.3.7]
> 0(18510) DEBUG: to body [<sip:666 at 10.3.3.7>
> ]
> 0(18510) pre_auth(): Invalid nonce value received
> 0(18510) build_auth_hf(): 'Proxy-Authenticate: Digest realm="asterisk", 
> nonce="4190d804c51f55efc7af5db65b7b1d2539cadbb6"
> '
> 0(18510) parse_headers: flags=-1
> 0(18510) get_hdr_field: cseq <CSeq>: <52162> <INVITE>
> 0(18510) DEBUG: get_hdr_body : content_length=169
> 0(18510) found end of header
> 0(18510) check_via_address(10.10.0.13, 10.10.0.13, 0)
> 0(18510) DEBUG:destroy_avp_list: destroing list (nil)
> 0(18510) receive_msg: cleaning up
> 0(18510) SIP Request:
> 0(18510)  method:  <ACK>
> 0(18510)  uri:     <sip:666 at 10.3.3.7>
> 0(18510)  version: <SIP/2.0>
> 0(18510) parse_headers: flags=1
> 0(18510) Found param type 232, <branch> = <z9hG4bK39325a8b2b992ff0>; 
> state=16
> 0(18510) end of header reached, state=5
> 0(18510) parse_headers: Via found, flags=1
> 0(18510) parse_headers: this is the first via
> 0(18510) After parse_msg...
> 0(18510) preparing to run routing scripts...
> 0(18510) parse_headers: flags=4
> 0(18510) DEBUG: add_param: tag=89f3a2e99dcf9447240c5dd5d06c7672.d4ff
> 0(18510) end of header reached, state=29
> 0(18510) DEBUG: get_hdr_field: <To> [62]; uri=[sip:666 at 10.3.3.7]
> 0(18510) DEBUG: to body [<sip:666 at 10.3.3.7>]
> 0(18510) DEBUG: sl_filter_ACK : local ACK found -> dropping it!
> 0(18510) DEBUG:destroy_avp_list: destroing list (nil)
> 0(18510) receive_msg: cleaning up
> 
> 
> 
> 
> Jan Janak wrote:
> 
> >On 09-11 16:17, Martin Bangiev wrote:
> > 
> >
> >>Hi all,
> >>I have ttrouble making IP phone (BudgeTone-100) + Ser + Asterisk work 
> >>together with authentication
> >>I installed and setup the ser according to the instructions in the 
> >>howto-s with enabled mysql authentication.
> >>The ser and the asterisk are working together on a single maschine 
> >>(10.3.3.7). Ser is listening on port 5060 and asterisk is on port 5061.
> >>What I want is when the IP phone (10.10.0.13) get authenticated to be 
> >>forwarded from ser to asterisk.
> >>Here is my route script (it's quite simple i think):
> >>route{
> >>  if (!proxy_authorize("asterisk", "subscriber")) {
> >>    proxy_challenge("asterisk", "0");
> >>    break;
> >>  };
> >>  forward(10.3.3.7, 5061);
> >>}
> >>
> >>here is a piece of the ser's output:
> >>0(16841) check_nonce(): comparing 
> >>[4190d1a0be145d87dc84c516175f8b46bc4923d6] and 
> >>[4190d1a0be145d87dc84c516175f8b46bc4923d6]
> >>0(16841) query="select password from subscriber where 
> >>username='bangieff' AND domain='asterisk'"
> >>0(16841) HA1 string calculated: fe6a6d50bebb95056a4a4cd70c12bf8d
> >>0(16841) check_response(): Our result = '6362285d3385465321ce523620522056'
> >>0(16841) check_response(): Authorization is OK
> >>0(16841) save_rpid(): rpid value is ''
> >>0(16841) check_via_address(10.10.0.13, 10.10.0.13, 0)
> >>0(16841) Sending:
> >>
> >>   
> >>
> >
> > It says it was sucessful. What was in the log after the last message
> > (Sending:)
> >
> >   Jan.
> >
> > 
> >
> 




More information about the sr-users mailing list