[Users] Bogdan: uac_auth cseq workaround - ANY ?

G.Jacobsen g_jacobsen at yahoo.co.uk
Tue May 30 11:13:10 CEST 2006 

Bogdan,

from my humble understanding so far there might be an easier way than to
follow the entire dialog.

As far as I understand RFC3261 section 22.3 second paragraph, all
authorisation challenges by the UAS should be forwarded to the originating
UAC. The current intention of the uac-module is however to catch the 401/407
challenge of the UAS in the failure_route and answer on the UACs behalf. The
UAC receives nothing and does therefore not increase the cseq value. That
way the problem of the non-matching cseq numbers occurs. The RFC explicitly
mentions this problem in paragraph 3.


It appears to me that one could indeed forward the 401/407 challenge to the
UAC, hoping that the UAC knows how to answer such challenge, and modify the
UACs proxy-authorisation credentials response on the way back to the UAS.
The credentials which need to be modified can be identified by the realm.

In essence, whenever openser receives such proxy-authorisation credentials
on an INVITE where the realm matches any of the realms stored in openser and
also the call-id matches that of the forwarded challenge then these
credentials are modified and relayed to the UAS.

So all what one would need would be some method similar to uac_auth which
does not add crednetials but modifyies credentials when there is a match
with stored credentials.

Would that be doable or am I "jumping" too quickly here ?

Cheers

Gerry








----- Original Message ----- 
From: "Bogdan-Andrei Iancu" <bogdan at voice-system.ro>
To: "G.Jacobsen" <g_jacobsen at yahoo.co.uk>
Cc: <users at openser.org>
Sent: Tuesday, May 30, 2006 10:42 AM
Subject: [Bulk] Re: [Users] uac_auth cseq workaround - ANY ?


> Hi Gerry,
>
> not incrementing the cseq number during authentication is a known
> limitation of the uac module. A solution will require dialog persistence
> on server (cseq number spreads across the entire dialog) - and this is
> only in the early stages....:(
> I'm afraid there is no work around....
>
> regards,
> bogdan
>
> G.Jacobsen wrote:
>
> > Hello,
> >
> > I am trying to use the uac_auth function against an asterisk box and
> > receive 488 not acceptable here.
> >
> > It appears that this is not due to a media problem since the client
> > which is routed through openser can issue an authenticated invite
> > without problems when registered directly with the asterisk box - with
> > exactly the the same media settings.
> >
> > So I supect that this 488 message is due to the fact that openser does
> > not increase the cseq during authentication causing asterisk to issue
> > a 488 after the correct response to the challenge.
> >
> > What are my workaround options to authenticate openser against
> > asterisk (or any other RFC compliant proxy) ?
> >
> > ANY practical hints would be highly appreciated.
> >
> > TIA for your help.
> >
> > Gerry
> >
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Users mailing list
> >Users at openser.org
> >http://openser.org/cgi-bin/mailman/listinfo/users
> >
> >
>


		
___________________________________________________________ 
The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html

More information about the sr-users mailing list