[Users] Can this work?: re. uac_auth cseq problem

G.Jacobsen g_jacobsen at yahoo.co.uk
Tue May 30 16:19:05 CEST 2006


I am still digging in this cseq uac problem which I need desperately to solve.

The problem is that the uac_auth function can create credentials for the downstream proxy after being challenged with a 401 or 407 message - but the downstream proxy (UAS) refuses this proxy_auth message since openser does not increase the cseq number. Increasing the cseq number only downstream wouldnt solve the problem since any replies of the downstream proxy back to the originating UAC would have cseq numbers which are out of sync.

I propose: In order to keep the cseq numbers in sync upstream and downstream one must generate challenges and proxy-auth responses on both legs of the route - and not only respond downstream as currently.

So whenever openser receives from the downstream proxy a challenge it must forward this challenge the originating UAC (if necessary modify the message in such a way that the UAC is guaranteed to respond). This upstream challenge causes the originating UAC to increase the cseq. Naturally openser must also increase the cseq number downstream  when generating its own proxy_auth repsonse to the downstream proxy. Whatever credentials UAC produces are discarted by openser.

The scheme:

1. UAC issues invite which is routed by OS to the downstream proxy (UAS) - as usual.
2. UAS issues challenge 401 or 407 - as usual
3. OS captures challenge on_failure route - as envisaged by UAC module
4. this is new:
a) OS relays the challenge upstream to UAC (would it be necessary to modify it before doing so ?)
b) OS constructs with uac_auth function correct proxy_auth credentials for UAS, increases the cseq with some text manipulation function and replies to UAS.
5. UAC responds with (wrong) proxy_auth credentials via OS to UAS
6. OS discards the credential message it received from the UAC - to avoid that the message reaches UAS.
7. Invite successful or failure : UAS responds with further messages which are routed to UAC.

Can this scheme work - or am I overlooking something here ?

TIA

Gerry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kamailio.org/pipermail/users/attachments/20060530/e1023120/attachment.htm 


More information about the Users mailing list