[SR-Users] uac_replace_from and uac_auth fails to authenticate.

Kjeld Flarup kjeld.flarup at liberalismen.dk
Sun Jan 19 23:34:21 CET 2020 

Thanks for confirming.

As there seems to be no way to correct the From header in 
failure_dialog, then the From header has to be modified before I receive 
the call then. Which could be done by cascading with a Cascading 
Kamailio instance.


-------------------- Med Liberalistiske Hilsner ----------------------
    Civilingeniør, Kjeld Flarup - Mit sind er mere åbent end min tegnebog
    Sofienlundvej 6B, 7560 Hjerm, Tlf: 40 29 41 49
    Den ikke akademiske hjemmeside for liberalismen - www.liberalismen.dk

On 1/19/20 11:22 PM, Alex Balashov wrote:
> In non-REGISTER requests, the From URI is the identity being asserted,
> and supported by the authentication credentials.
>
> If you have control over the upstream Kamailio server, you can tinker
> with authentication options which enforce equivalence between the
> authentication username/realm and the From URI user/domain --
> specifically, by turning off this enforcement.
>
> If you don't, then a modified From value will indeed be a problem
> insofar as it may deviate from the authentication credentials.
>
> -- Alex
>
> On Sun, Jan 19, 2020 at 11:19:26PM +0100, Kjeld Flarup wrote:
>
>> I have a setup where I have a fallback to a GSM number
>>
>> I look up the GSM number and provider information in a database and sets the
>> headers.
>>
>>                    dlg_manage();
>>                    $du = "sip:" + $dbr(ra=>[0,0]);
>>                    $tu = "sip:"+$rU+"@"+$dbr(ra=>[0,0]);
>>                    $ru = "sip:"+$rU+"@"+$dbr(ra=>[0,0]);
>> uac_replace_from("sip:"+$dbr(ra=>[0,1])+"@EXTERNALIP");
>>
>> After this the call goes to a failure_route to do uac_auth()
>>
>> Now my problem is that this works with the providers Asterisk server.
>> But if the call is send to the providers Kamailio server, authentication is
>> rejected.
>>
>> Removing uac_replace_from makes the call accepted on the Kamailio server
>>
>> The only possible problem I can see is that the first INVITE without
>> authentication, has correct From header.
>> But the second with the nonce and auth, uses the wrong From header. Thus two
>> different From headers in the same SIP dialog.
>>
>> Unfortunately uac_replace_from is not allowed in failure_route, so I could
>> test if this is the problem.
>>
>> Is the two different From headers a problem, and how could that be fixed.
>>
>>
>> -- 
>> -------------------- Med Liberalistiske Hilsner ----------------------
>>     Civilingeniør, Kjeld Flarup - Mit sind er mere åbent end min tegnebog
>>     Sofienlundvej 6B, 7560 Hjerm, Tlf: 40 29 41 49
>>     Den ikke akademiske hjemmeside for liberalismen - www.liberalismen.dk
>>
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

More information about the sr-users mailing list