[SR-Users] Handling 407 Proxy Authentication, Elastix MT

Daniel-Constantin Mierla miconda at gmail.com
Tue May 12 09:27:22 CEST 2015 

What do you mean it drops out? What side is sending the BYE?

Cheers,
Daniel

On 12/05/15 05:14, Darren Campbell (Primar) wrote:
> Had a closer look at the Digest being sent.
>
> Attempted to recreate Digest based on the username, realm, password,
> method & uri I was expecting versus the one created in the invite.
> Looks like Asterisk was using a blank password.
>
>
> Proxy-Authorization: Digest username="provideruser",
> realm="providerip", algorithm=MD5, uri="sip:provideruser at providerip",
> nonce="nonceexample", response="exampleresponse"
>
> php -r 'echo
> md5(md5("provideruser:providerip:password").":nonceexample:".md5("INVITE:sip:provideruser at providerip"));'
> someotherresponse
>
> php -r 'echo
> md5(md5("provideruser:providerip:").":nonceexample:".md5("INVITE:sip:provideruser at providerip"));'
> exampleresponse
>
>
> Here's the two lines in chan_sip.c
> (http://svn.asterisk.org/svn/asterisk/branches/11/channels/chan_sip.c)
> that could have set the secret:
>
> secret = auth->secret;
>
> secret = p->relatedpeer
>             && !ast_strlen_zero(p->relatedpeer->remotesecret)
>             ? p->relatedpeer->remotesecret : p->peersecret;
>
>
> When I checked Elastix MT code, it wasn't setting the secret for
> Asterisk Realtime because this is handled by Kamailio for extensions.
> But I noted that remotesecret could be used for peers.
>
>
> Ended up altering Elastix Mt trunk interface to allow entering
> remotesecret field via /usr/share/elastix/apps/trunks/index.php
>
>
> Now a single outbound call is able to connect, however, it drops out
> when a second outbound call is made.
>
>
> ------------------------------------------------------------------------
> *From:* Daniel-Constantin Mierla [miconda at gmail.com]
> *Sent:* Monday, 11 May 2015 8:47 PM
> *To:* Darren Campbell (Primar); Kamailio (SER) - Users Mailing List
> *Subject:* Re: [SR-Users] Handling 407 Proxy Authentication, Elastix MT
>
> What is happening then, is the provider sending back another 407?
>
> Normally the Proxy-Authorization header should stay unchanged, but if
> you change the request uri, it may result in mismatch.
>
> Cheers,
> Daniel
>
> On 11/05/15 10:26, Darren Campbell (Primar) wrote:
>> Thanks, much appreciated.
>>
>> I'm seeing the Proxy-Authorization from Asterisk in tcpdump. It seems
>> like I've been working against what's already built into Kamailio.
>>
>> Probably need to tweak some uri's though.
>>
>> When dialing out, the r-uri is:
>> sip:mobilenumberhere at exampleip
>>
>> But the uri part of the Proxy-Authorization in the new INVITE ends up
>> with uri="sip:mobilenumberhere at exampleip"
>>
>> However, I think it should be showing
>> uri="sip:providerusernamehere at exampleip"
>>
>> Regards,
>>
>> Darren
>> ------------------------------------------------------------------------
>> *From:* sr-users [sr-users-bounces at lists.sip-router.org] on behalf of
>> Daniel-Constantin Mierla [miconda at gmail.com]
>> *Sent:* Monday, 11 May 2015 6:07 PM
>> *To:* Kamailio (SER) - Users Mailing List
>> *Subject:* Re: [SR-Users] Handling 407 Proxy Authentication, Elastix MT
>>
>> Hello,
>>
>> On 11/05/15 08:41, Darren Campbell (Primar) wrote:
>>> Hi all
>>>
>>> Have Asterisk listening on 127.0.0.1 and aiming to route all
>>> inbound/outbound SIP via Kamailio listening on 127.0.0.1 and
>>> external interface.
>>>
>>> Inbound calls from the SIP PROVIDER work just fine. Have NAT,
>>> rtpproxy configured for successful registration and subsequent
>>> INVITEs etc.
>>>
>>> Experiencing some challenges with the outgoing INVITES, primarily
>>> authenticating the outbound INVITEs.
>>>
>>> The current situation is this:
>>> Asterisk > INVITE > Kamailio > INVITE > SIP PROVIDER
>>> SIP PROVIDER > 407 Proxy Authenticate > Kamailio > Transaction
>>> Cancelled.
>>> Asterisk then plays number unavailable message.
>>>
>>>
>>> The desired situation is more like this:
>>> Asterisk > INVITE > Kamailio > INVITE > SIP PROVIDER
>>> SIP PROVIDER > 407 Proxy Authenticate > Kamailio > Asterisk
>>> Asterisk > INVITE (with auth digest etc) > Kamailio > INVITE > SIP
>>> PROVIDER
>>>
>>>
>>> An attempted solution was made by having Kamailio authenticate using
>>> the uac module. However, ideally Kamailio should be mostly
>>> transparent and Asterisk should be handling and responding to the
>>> 407 Proxy Authentication.
>>>
>>> If there is someone in the Kamailio community that has addressed
>>> this situation before, guidance would be much appreciated.
>> do you have a failure_route block in kamailio.cfg? Be sure that if
>> 401/407 is received, you just exit the routing block:
>>
>> failure_route[abc] {
>>   ...
>>   if(t_check_status("401|407")) exit;
>>   ...
>> }
>>
>> Then the 401/407 replies will be sent upstream to asterisk.
>>
>> Cheers,
>> Daniel
>>
>> -- 
>> Daniel-Constantin Mierla
>> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
>> Kamailio World Conference, May 27-29, 2015
>> Berlin, Germany - http://www.kamailioworld.com
>
> -- 
> Daniel-Constantin Mierla
> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> Kamailio World Conference, May 27-29, 2015
> Berlin, Germany - http://www.kamailioworld.com

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150512/4b147889/attachment.html>

More information about the sr-users mailing list