[Serusers] Can´t CANCEL PSTN calls when using credentials
Marian Dumitru
marian.dumitru at voice-sistem.ro
Sun Mar 27 13:01:13 CEST 2005
Hi Rafael,
You shouldn't authenticate request within the dialog (with to_tag), but
only the initial requests (which create the dialog).
To be sure "from" is the same as "credentials" call check_from() after
authentication was confirmed - this way , further in your script, you
can check "from" with the same confidence as for "credentials".
Best regards,
Marian
Rafael J. Risco G.V. wrote:
> Marian
> thanks a lot again, it works with uri "from" instead of "credentials"
> , I also changed my script to challenge all non-register messages just
> to ensure CANCELs and INVITEs follow the same path, its that correct?
> (...according to Jan "auth module will never challenge ACKs and
> CANCELs, it will always return that the authentication was sucessful),
> by the way, is there any security disadvantage in to use "from"
> instead of credentials?
>
> best regards
> rafael
>
> PS: thats my new register and non-register auth method:
>
> if (method == "REGISTER") {
> log(1, "ANALYZING REGISTER REQUEST\n");
> if (is_user_in("Request-URI", "deactivated")) {
> sl_send_reply("402", "Su cuenta fue
> desactivada");
> break;
> };
> ### digest authentication
> if (!www_authorize("mydomain.com.pe", "subscriber")) {
> www_challenge("mydomain.com.pe", "0");
> break;
> };
>
> if (!save("location")) {
> sl_reply_error();
> };
> break;
> };
>
> if (!method == "REGISTER" && src_ip!=GW_AS5350_IP) {
> log(1, "ANALYZING INVITE||CANCEL... REQUESTs\n");
> if (!proxy_authorize("mydomain.com.pe", "subscriber")) {
> proxy_challenge("mydomain.com.pe", "1");
> break;
> };
>
> /* ***************** Dial out to Local and PSTN logic
> ****************** */
>
> # forward n digit requests to gateway AS5350 (Celulares)
> if(uri=~"^sip:9"){
> log(1," digit expression match - Celulares");
> if (!is_user_in("from", "mobile")) {
> sl_send_reply("403", "No permission
> for mobile calls");
> break;
> };
> rewritehostport("GW_AS5350_IP:5060");
> route(1); ##Nathelper
> break;
> };
>
> };
> ......
> .
> .
> .
>
>
>
>
>
> On Sat, 26 Mar 2005 23:55:28 +0100, Marian Dumitru
> <marian.dumitru at voice-sistem.ro> wrote:
>
>>Hi Rafael,
>>
>>the cancelling doesn't work because you process the INVITEs and CANCELs
>>in different way and because of this the CANCEL cannot follow the same
>>path as the INVITE.
>>As CANCEL is not authenticate (and it should not be), the
>>is_user_in("credentials", "mobile") will fail for CANCELs and you will
>>reply with "403 No permission for mobile calls".
>>Either replace "credential" with "from", either skip this test for CANCELS.
>>
>>Best regards,
>>Marian
>>
>>--
>>Voice System
>>http://www.voice-system.ro
>>
>
--
Voice System
http://www.voice-system.ro
More information about the sr-users
mailing list