[SR-Users] Making RLS presence work with Blink and Kamailio 4.1.4

Alex Villací­s Lasso a_villacis at palosanto.com
Wed Jul 2 20:39:30 CEST 2014


El 01/07/14 14:44, Alex Villací­s Lasso escribió:
> El 26/06/14 18:39, Alex Villací­s Lasso escribió:
>> I am having trouble making all of the supposed features of Blink work with Kamailio 4.1.4. My kamailio.cfg file is attached. Specifically, what I am having trouble is with presence (the way Blink wants to implement it), and MSRP. Ordinary voice calls 
>> work correctly.
>>
>
>> With MSRP, I have copied the example from the msrp.so documentation, but I have replaced the authentication shown with a static password, with an actual query using auth_db.so, the very same query used to authenticate other SIP packets. Through the 
>> packet capture, when user A tries starting a MSRP chat with user B, an INVITE is sent from user A to Kamailio, which has a special check to NOT send this invite to Asterisk, but rather route it itself, and it gets "correctly" routed to user B. Then user 
>> B attempts to start a MSRP session with Kamailio (not user A) without authentication credentials, Kamailio challenges user B for the credentials, and... that's it. User B makes no attempt to repeat the MSRP session with the required credentials, and the 
>> communication eventually times out.
> I have built and installed the python-sipsimple-clients package. With this, I can see that the receiving party attempts to make a MSRP connection to my Kamailio, and the authentication challenge triggers the following message:
>
> SIP session failed: media stream failed: 'opaque'
>
> It seems that msrplib (used by Blink and the test programs) wants a digest authentication with an "opaque" parameter. Currently the failing dialog goes like this:
>
> MSRP fa4a1c4d39cbf3fd AUTH
> To-Path: msrp://pbx.elastix.com:5060;tcp
> From-Path: msrp://192.168.3.2:39981/8b2dedc998fc1f1ed6f3;tcp
> -------fa4a1c4d39cbf3fd$
>
> MSRP fa4a1c4d39cbf3fd 401 Unauthorized
> To-Path: msrp://192.168.3.2:39981/8b2dedc998fc1f1ed6f3;tcp
> From-Path: msrp://pbx.elastix.com:5060;tcp
> WWW-Authenticate: Digest realm="pbx.elastix.com", nonce="U7MGKFOzBPxDXr7ggr7imjvcnkodRW5F", qop="auth"
> -------fa4a1c4d39cbf3fd$
>
> which is, in turn, produced by this code segment in kamailio.cfg:
>
>                 $var(msrprealm) = $(hdr(To-Path){msrpuri.host});
>                 xlog("L_ALERT","============ msrprealm: [$var(msrprealm)]\n");
>                 if (!www_authenticate("$var(msrprealm)", "subscriber", "$msrp(method)")) {
> if(auth_get_www_authenticate("$var(msrprealm)", "1", "$var(wauth)")) {
>                                 msrp_reply("401", "Unauthorized", "$var(wauth)");
>                         } else {
>                                 msrp_reply("500", "Server Error");
>                         }
>                         exit;
>                 }
>
> So, how do I make the authentication issue an adequate "opaque" parameter? I do not want to resort to appending a static value opaque="something" if a more elegant solution can be found. From http://en.wikipedia.org/wiki/Digest_access_authentication , I 
> deduce that I need the server to issue an "opaque" parameter like the following:
>
> WWW-Authenticate: Digest realm="testrealm at host.com",
>                         qop="auth,auth-int",
> nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
>                         opaque="5ccc069c403ebaf9f0171e9517f40e41"
>
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Apparently, there is no authentication procedure implemented in Kamailio 4.1.4 that is RFC compliant with MSRP.

According to http://tools.ietf.org/html/rfc4976#section-9.1 , MSRP AUTH request must be authenticated. Simply accepting any AUTH request without actually checking the credentials is not RFC-compliant. However, the authentication specified in rfc4976 
differs from ordinary Digest-Authentication - the required URI for the Digest authentication is taken from the To-Path: header in the MSRP request, and is apparently not sent in the Authorization header (at least as implemented by the python-msrplib 
library). Additionally, none of the Kamailio methods for authentication appear capable of sending an "opaque" parameter that is apparently requested by python-msrplib. It seems that new methods msrp_authenticate() and msrp_challenge() are required.



More information about the sr-users mailing list