[SR-Users] Kamailio - Nonce validity between Register and Invite
Daniel-Constantin Mierla
miconda at gmail.com
Wed Aug 22 14:17:14 CEST 2012
Hello,
On 8/22/12 10:51 AM, patrice.bodeven at orange.com wrote:
>
> Hello,
>
> I am working on Kamailio 3.2.2. There is no traffic, only functional
> test done.
>
> Based on the SIP Client used until now (Xlite), the INVITE is
> systematically authenticated by 407 as there is no Proxy-Authorization
> in the initial INVITE. Expected/normal behavior.
>
> But when using an internal SIP client, the initial INVITE is generated
> with a Proxy-Authorization containing the nonce value used by the
> successful registration.
>
> _In Authorization of Register (the answer is 200OK)_
>
> Digest username="+33296488922 at ims.v0.pftest.net",
> realm="sip:ims.v0.pftest.net",
> nonce="UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA",
> uri="sip:ims.v0.pftest.net",
> response="4ed51b8e62cf769b19f8c4771e068ad3",
> cnonce="06440000000529330fe1", qop=auth, nc=00000011
>
> _In Proxy-Authorization of Invite _
>
> Digest username="+33296488922 at ims.v0.pftest.net",
> realm="sip:ims.v0.pftest.net",
> nonce="UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA",
> uri="sip:0157361149 at ims.v0.pftest.net",
> response="b247052d6d5b37e0b6677c816390cb77",
> cnonce="06440000000529330fe1", qop=auth, nc=00000012
>
> As the nonce expire is high (see nonce_expire), I don't understand why
> Kamailio requests the Authentication of the INVITE by 407.
>
> _407 with Proxy-Authenticate_: Digest realm="ims.v0.pftest.net",
> nonce="UDP6pVAzpkWDF+jSlP3zzVYcuNPhY8NQBj62WIA=", qop="auth", stale=true
>
> *Does it mean that the REGISTER and INVITE are using different Nonce
> value ? *
>
> èInformation on my configuration file.
>
> modparam("auth_db", "db_url", DBURLAUTH)
>
> modparam("auth", "auth_checks_register", 6) # callid and From TAG
>
> modparam("auth", "qop", "auth") # enable qop=auth
>
> modparam("auth", "nonce_count", 1) # enable nonce_count support
>
> modparam("auth", "nonce_expire", 21600) # Set nonce_expire to 6 hours
>
> For register, I do
>
> if (!www_authorize("$ru", "subscriber"))
>
> {
>
> if($? == -2 || $? == -3) {
>
> sl_send_reply("403","Forbidden auth ID");
>
> exit;
>
> }
>
> else {
>
> www_challenge("$ru", "17");
>
> exit;
>
> }
>
> }
>
> For invite, I do
>
> if (!proxy_authorize("$fd", "subscriber"))
>
> {
>
> if($? == -2 || $? == -3) {
>
> sl_send_reply("403","Forbidden auth ID");
>
> exit;
>
> }
>
> else {
>
> proxy_challenge("$fd", "17");
>
> xlog("L_INFO","INVITE challenged by 407 to :$di:$dp \n");
>
> exit;
>
> }
>
> }
>
> Followed by consume_credentials();
>
> Thanks in advance for your support.
>
set debug=3 in your configuration file and watch the log messages. You
should get some leads about why the authentication is not succeeding.
Cheers,
Daniel
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20120822/4f69886f/attachment.htm>
More information about the sr-users
mailing list