[Users] Proxy authentication message to wrong port
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Aug 8 09:55:51 CEST 2006
Use force_rport()
http://openser.org/dokuwiki/doku.php?id=openser_v1.1.0_core_cookbook#force_rport
regards
klaus
M D wrote:
> Hi
>
> I have an OpenSER 1.1 box on a public IP running a config taken
> more-or-less verbatim from the iptel.org <http://iptel.org> getting
> started examples. I have a UA behind a PIX which is translating port
> 5060 on the phone to port 8907 on the firewall. OpenSER is ignoring this
> and sending replies to INVITEs to port 5060 on the firewall.
>
> If it's likely to make any difference, the PATed IP and the IP of the
> OpenSER box are on the same network.
>
> 31 61.574505 193.x.x.15 -> 193.x.x.5 SIP/SDP Request: INVITE
> sip:5551212 at 193.x.x.5 <mailto:sip:5551212 at 193.x.x.5>;user=phone, with
> session description
> 32 61.575998 193.x.x.5 -> 193.x.x.15 SIP Status: 407 Proxy
> Authentication Required
>
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: SIP Request:
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: method: <INVITE>
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: uri: <
> sip:5551212 at 193.x.x.5 <mailto:sip:5551212 at 193.x.x.5>;user=phone>
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: version: <SIP/2.0>
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: flags=2
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: Found param type 232,
> <branch> = <z9hG4bK4ae31c203ab6ceb>; state=16
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: end of header reached,
> state=5
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: Via found,
> flags=2
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: this is
> the first via
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: After parse_msg...
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: preparing to run routing
> scripts...
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: flags=100
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG:parse_to:end of
> header reached, state=10
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DBUG:parse_to:
> display={}, ruri={sip:5551212 at 193.x.x.5
> <mailto:sip:5551212 at 193.x.x.5>;user=phone}
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: get_hdr_field:
> <To> [39]; uri=[ sip:5551212 at 193.x.x.5
> <mailto:sip:5551212 at 193.x.x.5>;user=phone]
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: to body [<
> sip:5551212 at 193.x.x.5 <mailto:sip:5551212 at 193.x.x.5>;user=phone>^M ]
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: get_hdr_field: cseq
> <CSeq>: <1> <INVITE>
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: get_hdr_body :
> content_length=284
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: found end of header
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: is_maxfwd_present:
> max_forwards header not found!
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: add_param:
> tag=3783260355
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG:parse_to:end of
> header reached, state=29
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DBUG:parse_to:
> display={}, ruri={sip:84410001 at 193.x.x.5 <mailto:sip:84410001 at 193.x.x.5>
> ;user=phone}
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: flags=200
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: find_first_route: No
> Route headers found
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: loose_route: There is no
> Route HF
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: grep_sock_info - checking
> if host==us: 12==12 && [ 193.x.x.5] == [193.x.x.5]
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: grep_sock_info - checking
> if port 5060 matches port 5060
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: XXX INVITE handler: start
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: flags=10000
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: pre_auth(): Credentials
> with given realm not found
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: XXX INVITE handler:
> proxy_authorize failed
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: build_auth_hf():
> 'Proxy-Authenticate: Digest realm=" 193.x.x.5",
> nonce="44d3636e40c00e3f51456a587f994d0f285325af"^M '
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers:
> flags=ffffffffffffffff
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: check_via_address(
> 193.x.x.15, 10.200.100.46 <http://10.200.100.46>, 0)
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG:destroy_avp_list:
> destroying list (nil)
> Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: receive_msg: cleaning up
>
> How can I force proxy_challenge() to send its challenge to port 8907?
>
> Cheers,
>
> Mark
>
>
> Config:
>
> debug=8
> fork=yes
> log_stderror=no
>
> listen= 193.82.139.5 <http://193.82.139.5>
> port=5060
> children=4
>
> dns=no
> rev_dns=no
> fifo="/tmp/ser_fifo"
> fifo_db_url="mysql://openserro:openserro@localhost/openser"
>
> loadmodule "/usr/lib/openser/modules/mysql.so"
> loadmodule "/usr/lib/openser/modules/sl.so"
> loadmodule "/usr/lib/openser/modules/tm.so"
> loadmodule "/usr/lib/openser/modules/rr.so"
> loadmodule "/usr/lib/openser/modules/maxfwd.so"
> loadmodule "/usr/lib/openser/modules/usrloc.so"
> loadmodule "/usr/lib/openser/modules/registrar.so"
> loadmodule "/usr/lib/openser/modules/auth.so"
> loadmodule "/usr/lib/openser/modules/auth_db.so"
> loadmodule "/usr/lib/openser/modules/uri.so"
> loadmodule "/usr/lib/openser/modules/uri_db.so"
> loadmodule "/usr/lib/openser/modules/nathelper.so"
> loadmodule "/usr/lib/openser/modules/textops.so"
>
> modparam("auth_db|uri_db|usrloc", "db_url",
> "mysql://openserro:openserro@localhost/openser")
> modparam("auth_db", "calculate_ha1", 1)
> modparam("auth_db", "password_column", "password")
>
> modparam("nathelper", "natping_interval", 30)
> modparam("nathelper", "ping_nated_only", 1)
> modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")
>
> modparam("usrloc", "db_mode", 2)
>
> modparam("registrar", "nat_flag", 6)
>
> modparam("rr", "enable_full_lr", 1)
>
> route {
>
> # -----------------------------------------------------------------
> # Sanity Check Section
> # -----------------------------------------------------------------
> if (!mf_process_maxfwd_header("10")) {
> sl_send_reply("483", "Too Many Hops");
> return;
> };
>
> if (msg:len > max_len) {
> sl_send_reply("513", "Message Overflow");
> return;
> };
>
> # -----------------------------------------------------------------
> # Record Route Section
> # -----------------------------------------------------------------
> if (method!="REGISTER") {
> record_route();
> };
>
> if (method=="BYE" || method=="CANCEL") {
> unforce_rtp_proxy();
> }
>
> # -----------------------------------------------------------------
> # Loose Route Section
> # -----------------------------------------------------------------
> if (loose_route()) {
>
> if ((method=="INVITE" || method=="REFER") && !has_totag()) {
> sl_send_reply("403", "Forbidden");
> return;
> };
>
> if (method=="INVITE") {
>
> if (!proxy_authorize("","subscriber")) {
> proxy_challenge("","0");
> return;
> } else if (!check_from()) {
> sl_send_reply("403", "Use From=ID");
> return;
> };
> consume_credentials();
>
> if (nat_uac_test("19")) {
> setflag(6);
> force_rport();
> fix_nated_contact();
> };
> force_rtp_proxy("l");
> };
> route(1);
> return;
> };
>
> # -----------------------------------------------------------------
> # Call Type Processing Section
> # -----------------------------------------------------------------
> if (uri!=myself) {
> route(4);
> route(1);
> return;
> };
>
> if (method=="ACK") {
> route(1);
> return;
> } else if (method=="CANCEL") {
> route(1);
> return;
> } else if (method=="INVITE") {
> route(3);
> return;
> } else if (method=="REGISTER") {
> route(2);
> return;
> };
>
> lookup("aliases");
> if (uri!=myself) {
> route(4);
> route(1);
> return;
> };
>
> if (!lookup("location")) {
> sl_send_reply("404", "User Not Found");
> return;
> };
>
> route(1);
> }
>
> route[1] {
> log("XXX default handler: start");
>
> # -----------------------------------------------------------------
> # Default Message Handler
> # -----------------------------------------------------------------
>
> t_on_reply("1");
>
> if (!t_relay()) {
> if (method=="INVITE" && isflagset(6)) {
> unforce_rtp_proxy();
> };
> sl_reply_error();
> };
> }
>
> route[2] {
> log("XXX REGISTER handler: start");
>
> # -----------------------------------------------------------------
> # REGISTER Message Handler
> # ----------------------------------------------------------------
>
> if (!search("^Contact:[ ]*\*") && nat_uac_test("19")) {
> log("XXX REGISTER handler: valid contact and
> nat_uac_test(19) true");
> setflag(6);
> fix_nated_register();
> force_rport();
> };
>
> log("XXX REGISTER handler: 100 trying");
> sl_send_reply("100", "Trying");
>
> if (!www_authorize("","subscriber")) {
> log("XXX REGISTER handler: www_authorize failed");
> www_challenge("","0");
> return;
> };
>
> if (!check_to()) {
> sl_send_reply("401", "Unauthorized");
> return;
> };
>
> consume_credentials();
>
> if (!save("location")) {
> sl_reply_error();
> };
> log("XXX REGISTER handler: location saved");
> }
>
> route[3] {
> log("XXX INVITE handler: start");
>
> # -----------------------------------------------------------------
> # INVITE Message Handler
> # -----------------------------------------------------------------
>
> if (!proxy_authorize("","subscriber")) {
> log("XXX INVITE handler: proxy_authorize failed");
> proxy_challenge("","0");
> return;
> } else if (!check_from()) {
> sl_send_reply("403", "Use From=ID");
> return;
> };
>
> consume_credentials();
>
> if (nat_uac_test("19")) {
> setflag(6);
> }
>
> lookup("aliases");
> if (uri!=myself) {
> route(4);
> route(1);
> return;
> };
>
> if (!lookup("location")) {
> sl_send_reply("404", "User Not Found");
> return;
> };
>
> route(4);
> route(1);
> }
>
> route[4] {
> log("XXX NAT traversal: start");
>
> # -----------------------------------------------------------------
> # NAT Traversal Section
> # -----------------------------------------------------------------
>
> if (isflagset(6)) {
> force_rport();
> fix_nated_contact();
> force_rtp_proxy();
> }
> }
>
> onreply_route[1] {
> log("XXX onreply_route: start");
>
> if (isflagset(6) && status=~"(180)|(183)|2[0-9][0-9]") {
> if (!search("^Content-Length:[ ]*0")) {
> force_rtp_proxy();
> };
> };
>
> if (nat_uac_test("1")) {
> log("XXX onreply_route: nat_uac_test(1) true");
> fix_nated_contact();
> };
> }
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
More information about the sr-users
mailing list