[Users] Problems with digest authentication

aimable aimahab at artel.rw
Tue Aug 2 13:22:57 CEST 2005


I tried both of these configurations and none of them worked .
Here below is my configuration

debug=7
fork=yes
log_stderror=yes
listen=193.XXX.XX4.XXX
port=5060
children=4
 
alias=193.XXX.XX4.XXX
alias=sip.mydomain.tld
 
dns=yes
rev_dns=no
 
fifo="/tmp/openser_fifo"
fifo_db_url="mysql://USER:PASSWORD@localhost/openser"
 
loadmodule "/usr/local/lib/openser/modules/mysql.so"
loadmodule "/usr/local/lib/openser/modules/sl.so"
loadmodule "/usr/local/lib/openser/modules/tm.so"
loadmodule "/usr/local/lib/openser/modules/rr.so"
loadmodule "/usr/local/lib/openser/modules/maxfwd.so"
loadmodule "/usr/local/lib/openser/modules/usrloc.so"
loadmodule "/usr/local/lib/openser/modules/registrar.so"
loadmodule "/usr/local/lib/openser/modules/auth.so"
loadmodule "/usr/local/lib/openser/modules/auth_db.so"
loadmodule "/usr/local/lib/openser/modules/uri.so"
loadmodule "/usr/local/lib/openser/modules/uri_db.so"
loadmodule "/usr/local/lib/openser/modules/mediaproxy.so"
loadmodule "/usr/local/lib/openser/modules/nathelper.so"
loadmodule "/usr/local/lib/openser/modules/textops.so"
loadmodule "/usr/local/lib/openser/modules/domain.so"
loadmodule "/usr/local/lib/openser/modules/acc.so"
 
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "use_domain", 1)
 
modparam("domain", "db_mode", 1)
 
modparam("nathelper", "rtpproxy_disable", 1)
modparam("nathelper", "natping_interval", 180)
 
modparam("mediaproxy","natping_interval", 30)
modparam("mediaproxy","mediaproxy_socket", "/var/run/mediaproxy.sock")
modparam("mediaproxy","sip_asymmetrics","/usr/local/etc/openser/sip-asymmetr
ic-clients")
modparam("mediaproxy","rtp_asymmetrics","/usr/local/etc/openser/rtp-asymmetr
ic-clients")
 
modparam("usrloc", "db_mode", 2)
modparam("usrloc", "use_domain", 1)
 
modparam("registrar", "default_expires", 60)
modparam("registrar", "min_expires", 30)
modparam("registrar", "nat_flag", 6)
modparam("registrar", "use_domain", 1)
 
modparam("rr", "enable_full_lr", 1)
 
modparam("auth_db|uri_db|usrloc", "db_url",
"mysql://USER:PASSWORD@localhost/openser")
modparam("acc", "db_url", "mysql://USER:PASSWORD@localhost/openser")
modparam("acc", "failed_transactions", 1)
modparam("acc", "log_level", 1)
modparam("acc", "log_flag", 1)
modparam("acc", "db_flag", 1)
 
route {
 
        # -----------------------------------------------------------------
        # Sanity Check Section
        # -----------------------------------------------------------------
        if (!mf_process_maxfwd_header("10")) {
                sl_send_reply("483", "Too Many Hops");
                break;
        };
 
        if (msg:len > max_len) {
                sl_send_reply("513", "Message Overflow");
                break;
        };
 
        # -----------------------------------------------------------------
        # Record Route Section and Acc section
        # -----------------------------------------------------------------
        if (method=="INVITE" && client_nat_test("3")) {
                record_route_preset("193.XXX.XX4.XXX:5060;nat=yes");
        } else if (method!="REGISTER") {
        if!(uri=~"^sip:833[0-9]*@") {
                record_route();
                setflag(1);
            }
        };
 
        # -----------------------------------------------------------------
        # Call Tear Down Section
        # -----------------------------------------------------------------
        if (method=="BYE" || method=="CANCEL") {
                end_media_session();
        };
 
        # -----------------------------------------------------------------
        # Loose Route Section
        # -----------------------------------------------------------------
        if (loose_route()) {
 
                if (has_totag() && (method=="INVITE" || method=="ACK")) {
 
                        if (client_nat_test("3") ||
search("^Route:.*;nat=yes")) {
                                setflag(6);
                                use_media_proxy();
                        };
                };
 
                route(1);
                break;
        };
 
        # -----------------------------------------------------------------
        # Call Type Processing Section
        # -----------------------------------------------------------------
 
        if (uri!=myself) {
                route(1);
                break;
        };
 
        if (uri==myself) {
 
                if (method=="CANCEL") {
                        route(3);
                        break;
                } else if (method=="INVITE") {
                        route(3);
                        break;
                } else  if (method=="REGISTER") {
                        route(2);
                        break;
                };
 
                lookup("aliases");
                if (uri!=myself) {
                        route(1);
                        break;
                };
 
                if (!lookup("location")) {
                        sl_send_reply("404", "User Not Found");
                        break;
                };
        };
 
        route(1);
}
 
route[1] {
 
        # -----------------------------------------------------------------
        # Default Message Handler
        # -----------------------------------------------------------------
 
        t_on_reply("1");
 
        if (!t_relay()) {
 
                if (method=="INVITE" || method=="ACK") {
                        end_media_session();
                };
 
                sl_reply_error();
        };
}
 
route[2] {
 
        # -----------------------------------------------------------------
        # REGISTER Message Handler
        # ----------------------------------------------------------------
 
        if (!search("^Contact:\ +\*") && client_nat_test("7")) {
                setflag(6);
                fix_nated_register();
                force_rport();
        };
 
        sl_send_reply("100", "Trying");
 
        if (!www_authorize("","subscriber")) {
                www_challenge("","0");
                break;
        };
 
        if (!check_to()) {
                sl_send_reply("401", "Unauthorized");
                break;
        };
 
        consume_credentials();
 
        if (!save("location")) {
                sl_reply_error();
        };
}
 
route[3] {
 
        # -----------------------------------------------------------------
        # CANCEL and INVITE Message Handler
        # -----------------------------------------------------------------
 
        if (client_nat_test("3")) {
                setflag(7);
                force_rport();
                fix_nated_contact();
        };
 
        lookup("aliases");
        if (uri!=myself) {
                route(1);
                break;
        };
 
 
        if (!lookup("location")) {
                sl_send_reply("404", "User Not Found");
                break;
        };
 
        if (method=="CANCEL") {
                route(1);
                break;
        };
 
        if (!proxy_authorize("","subscriber")) {
                proxy_challenge("","0");
                break;
        } else if (!check_from()) {
                sl_send_reply("403", "Use From=ID");
                break;
        };
 
        consume_credentials();
 
        if (isflagset(6) || isflagset(7)) {
                use_media_proxy();
        };
 
        route(1);
}
 
onreply_route[1] {
 
        if ((isflagset(6) || isflagset(7)) &&
(status=~"(180)|(183)|2[0-9][0-9]")) {
 
                if (!search("^Content-Length:\ +0")) {
                        use_media_proxy();
                };
        };
 
        if (client_nat_test("1")) {
                fix_nated_contact();
        };
}


-----Original Message-----
From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
Sent: Tuesday, August 02, 2005 10:50 AM
To: aimable
Cc: users at openser.org
Subject: Re: [Users] Problems with digest authentication

Hello Aimable,

if you get the "pre_auth(): Credentials with given realm not found" 
message means the realm to be used in auth is not found in the 
[WWW-]Authenticate header. Now depends of how you have in script:
    if  you use  www_authorize("my_realm",""), then the "my_relam" will 
be searched in WWW-Authenticate header;
    if you use www_authorize("",""), then the realn will be extracted as 
the domain part of the TO uri.

so you may try:
    www_authorize("talk.artel.rw",""); - it will match the credential
 or
    www_authorize("",""), but configure your UAs to use "talk.artel.rw" 
in as domain part in FROM/URI.

depends which case fits you better...my guess? go for option 1. :)

regards,
bogdan

aimable wrote:

> I have been using various versions of SER from last year without any 
> problem but recently I made a new installation of OpenSER 0.9.5. Since 
> then I am having problems with digest authentication from some of the 
> phones. I have a bunch of 186 ATAs and Cisco 7940 phones but they 
> cannot register to the server, while all the soft phones can register 
> successfully. The server says Credentials with given realm not found. 
> I tried to change the realm to localhost and to the the IP address of 
> the server, with no luck.
>
>  
>
> And below is the result of ngrep
>
>  
>
> I tried to grep the messages from the phones and here below is one 
> message from a Cisco 186 ATA which has failed to register
>
>  
>
> ########### Beginning of the capture ##################
>
>  
>
> U PHONEIP:5060 -> SERVERIP:5060
>
> REGISTER sip:SERVERIP SIP/2.0.
>
> Via: SIP/2.0/UDP PHONEIP:5060.
>
> From: <sip:06090003 at SERVERIP;user=phone>;tag=500808430.
>
> To: <sip:06090003 at SERVERIP;user=phone>.
>
> Call-ID: 704382462 at PHONEIP.
>
> CSeq: 1 REGISTER.
>
> Contact: 
> <sip:06090003 at PHONEIP:5060;user=phone;transport=udp>;expires=3600.
>
> User-Agent: Cisco ATA 186  v2.16.2 ata18x (030829a).
>
> Content-Length: 0.
>
>  
>
> #
>
> U SERVERIP:5060 -> PHONEIP:5060
>
> SIP/2.0 100 Trying.
>
> Via: SIP/2.0/UDP PHONEIP:5060.
>
> From: <sip:06090003 at SERVERIP;user=phone>;tag=500808430.
>
> To: <sip:06090003 at SERVERIP;user=phone>.
>
> Call-ID: 704382462 at PHONEIP.
>
> CSeq: 1 REGISTER.
>
> Server: OpenSer (0.9.5 (i386/linux)).
>
> Content-Length: 0.
>
> Warning: 392 SERVERIP:5060 "Noisy feedback tells:  pid=4490 
> req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP 
> out_uri=sip:SERVERIP via_cnt==1".
>
>  
>
> #
>
> U SERVERIP:5060 -> PHONEIP:5060
>
> SIP/2.0 401 Unauthorized.
>
> Via: SIP/2.0/UDP PHONEIP:5060.
>
> From: <sip:06090003 at SERVERIP;user=phone>;tag=500808430.
>
> To: 
>
<sip:06090003 at SERVERIP;user=phone>;tag=329cfeaa6ded039da25ff8cbb8668bd2.8af0
.
>
> Call-ID: 704382462 at PHONEIP.
>
> CSeq: 1 REGISTER.
>
> WWW-Authenticate: Digest realm="talk.artel.rw", 
> nonce="42edb29e1dbcc6fa814dd3396634ed7be68eea56".
>
> Server: OpenSer (0.9.5 (i386/linux)).
>
> Content-Length: 0.
>
> Warning: 392 SERVERIP:5060 "Noisy feedback tells:  pid=4490 
> req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP 
> out_uri=sip:SERVERIP via_cnt==1".
>
>  
>
>  
>
>  
>
>  
>
> Any idea?
>
>  
>
> Aimable
>
>  
>
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Users mailing list
>Users at openser.org
>http://openser.org/cgi-bin/mailman/listinfo/users
>  
>







More information about the sr-users mailing list