[Serusers] Digest Authentication
innovation.interops at wipro.com
innovation.interops at wipro.com
Mon Jan 3 08:15:41 CET 2005
Hello,
Try these inclusions pls for a simple straight forward Digest Auth...
modparam("auth_db", "db_url","sql://ser:heslo@localhost/ser")
# main routing logic
route{
if(!proxy_authorize("yourdomain.com" /* realm */,
"subscriber" /* table name */ ))
{
proxy_challenge("yourdomain.com", "0");
break;
}
sl_send_reply("200", "ok");
karthikeyan.k
________________________________
From: serusers-bounces at lists.iptel.org on behalf of Magnus Sörman (AL/EAB)
Sent: Thu 12/30/2004 3:45 PM
To: 'serusers at lists.iptel.org'
Subject: [Serusers] Digest Authentication
Hi,
I need some help with digest authentication.
When I uncomment those lines in ser.cfg, the register msg stops to work. In the trace, see below, you can see the nonce being sent in the re-register msg, but the server still responds with 401 Unauthorized. I've tried with both 0 and 1 in the www_challenge.
Without the digest authentication the register works fine.
Thanks in advance,
//Magnus
ser.cfg (ser 0.8.12 running on a Fedora box. Used for test purpose only):
====================================================
# ----------- global configuration parameters ------------------------
#debug=3 # debug level (cmd line: -dddddddddd)
#fork=yes
#log_stderror=no # (cmd line: -E)
/* Uncomment these lines to enter debugging mode
debug=7
fork=no
log_stderror=yes
*/
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
#port=5060
#children=4
fifo="/tmp/ser_fifo"
sip_warning=no
alias="sip_server_ip"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/lib/ser/modules/mysql.so"
loadmodule "/usr/lib/ser/modules/sl.so"
loadmodule "/usr/lib/ser/modules/tm.so"
loadmodule "/usr/lib/ser/modules/rr.so"
loadmodule "/usr/lib/ser/modules/maxfwd.so"
loadmodule "/usr/lib/ser/modules/usrloc.so"
loadmodule "/usr/lib/ser/modules/registrar.so"
loadmodule "/usr/lib/ser/modules/pa.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/lib/ser/modules/auth.so"
loadmodule "/usr/lib/ser/modules/auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if ( msg:len > max_len ) {
sl_send_reply("513", "Message too big");
break;
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
record_route();
# loose-route processing
if (loose_route()) {
t_relay();
break;
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri == myself ) {
if (method=="SUBSCRIBE") {
if(t_newtran()){
handle_subscription("registrar");
break;
};
};
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication
if (!www_authorize("sip_server_ip", "subscriber")) {
www_challenge("sip_server_ip", "1");
break;
};
save("location");
break;
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
};
# forward to current uri now; use stateful forwarding; that
# works reliably even if we forward from TCP to UDP
if (!t_relay()) {
sl_reply_error();
};
}
Register trace:
==========
REGISTER sip:sip_server_ip SIP/2.0
Via: SIP/2.0/UDP local_pc_ip:5060;rport;branch=z9hG4bK4268DFDFE5EE410C8DB113A6223C800C
From: Magnus <sip:magnus at sip_server_ip>;tag=470300110
To: Magnus <sip:magnus at sip_server_ip>
Contact: "Magnus" <sip:magnus at local_pc_ip:5060>
Call-ID: EB7272E371C24F6C8F24DB47A53EE7CB at sip_server_ip
CSeq: 6590 REGISTER
Expires: 1800
Max-Forwards: 70
User-Agent: X-Lite release 1103m
Content-Length: 0
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP local_pc_ip:5060;rport=5060;branch=z9hG4bK4268DFDFE5EE410C8DB113A6223C800C
From: Magnus <sip:magnus at sip_server_ip>;tag=470300110
To: Magnus <sip:magnus at sip_server_ip>;tag=b27e1a1d33761e85846fc98f5f3a7e58.0d0e
Call-ID: EB7272E371C24F6C8F24DB47A53EE7CB at sip_server_ip
CSeq: 6590 REGISTER
WWW-Authenticate: Digest realm="sip_server_ip", nonce="41d1321431d402c1af9617eb73deccbce7e532d5", qop="auth"
Server: Sip EXpress router (0.8.12 (i386/linux))
Content-Length: 0
REGISTER sip:sip_server_ip SIP/2.0
Via: SIP/2.0/UDP local_pc_ip:5060;rport;branch=z9hG4bK1813C486770C442BB51E58686A61921F
From: Magnus <sip:magnus at sip_server_ip>;tag=470300110
To: Magnus <sip:magnus at sip_server_ip>
Contact: "Magnus" <sip:magnus at local_pc_ip:5060>
Call-ID: EB7272E371C24F6C8F24DB47A53EE7CB at sip_server_ip
CSeq: 6591 REGISTER
Expires: 1800
Authorization: Digest username="magnus",realm="sip_server_ip",nonce="41d1321431d402c1af9617eb73deccbce7e532d5",response="27ea80aed1b9f5086b396c8f86bcec60",uri="sip:sip_server_ip",qop=auth,cnonce="9F5BBA98D6724D909C6560E8A045A300",nc=00000006
Max-Forwards: 70
User-Agent: X-Lite release 1103m
Content-Length: 0
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP local_pc_ip:5060;rport=5060;branch=z9hG4bK1813C486770C442BB51E58686A61921F
From: Magnus <sip:magnus at sip_server_ip>;tag=470300110
To: Magnus <sip:magnus at sip_server_ip>;tag=b27e1a1d33761e85846fc98f5f3a7e58.9cf2
Call-ID: EB7272E371C24F6C8F24DB47A53EE7CB at sip_server_ip
CSeq: 6591 REGISTER
WWW-Authenticate: Digest realm="sip_server_ip", nonce="41d1321431d402c1af9617eb73deccbce7e532d5", qop="auth"
Server: Sip EXpress router (0.8.12 (i386/linux))
Content-Length: 0
_______________________________________________
Serusers mailing list
serusers at lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
Confidentiality Notice
The information contained in this electronic message and any attachments to this message are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged information. If
you are not the intended recipient, please notify the sender at Wipro or Mailadmin at wipro.com immediately
and destroy all copies of this message and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20050103/08e53701/attachment.htm>
More information about the sr-users
mailing list