[OpenSER-Users] Proxy Authorization - Two Digests

Ash Rah ash at droshta.net
Fri Apr 25 05:18:08 CEST 2008 

I passed the domain string as first parameter in proxy_authorize (also 
in REGISTER's www_authorize in a separate test) - but I still get Proxy 
Auth Failed.

Getting the same result, two copies of digest response are being sent 
from X-Lite. OpenSER (most likely) denying Auth based on the Digest 
issued for Asterisk.

Proxy-Authorization: Digest 
username="1274229212",realm="asterisk",nonce="1780f1c0",uri="sip:6099999999999 at sip.dummydomain",response="bb7a713ee1d85608390ec8adbcc6bda4",algorithm=MD5.
Proxy-Authorization: Digest 
username="1274229212",realm="sip.dummydomain",nonce="48114cd64a57df739fc9d6131eb3057c3afc3eac",uri="sip:6099999999999 at sip.dummydomain",response="89a293207ff00c3bf2d3ec483aa0838d",algo
rithm=MD5.

Iñaki Baz Castillo wrote:
> El Viernes, 25 de Abril de 2008, Ash Rah escribió:
>   
>> Hi,
>>
>> On initial INVITEs, both OpenSER and Asterisk send separate nonce and
>> X-Lite then sends back two different digests in a single following INVITE :
>>
>> Proxy-Authorization: Digest
>> username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848
>> 484 at sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorit
>> hm=MD5.
>>
>>
>> Proxy-Authorization: Digest
>> username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f
>> 977cae40a747d26f7e9c5f",uri="sip:6048484848484 at sip.dummydomain.com",response
>> ="361700cce632c00ff70ede5e5126c6ac",algo
>>
>> The first one is for asterisk, (realm="asterisk") and the second one is
>> for OpenSER. But unfortunately OpenSER probably examines the first
>> digest which causes failed Proxy Authorization.
>>
>> Is it possible to instruct OpenSER to inspect both of the digests before
>> it makes a decision?
>>     
>
> Yes, but you must specify it, try this:
>
> if (!proxy_authorize("sip.dummydomain.com","subscriber")) {
>                         proxy_challenge("","0");
>                         exit;
> }
>
>
> Do you understand? if "proxy_authorize" has an empty first parameter then 
> OpenSer tries to authenticate against a realm paramenter that the client 
> sends in the first "Proxy-Authorization" header.
>
> Anyway I've never tryed it so I'm not sure but hope theorically it should work 
> XD
>
>
> Regards.
>
>
>

More information about the sr-users mailing list