thr3ads.net - asterisk users - [Asterisk-Users] SIP authentication bug with insecure= lines? [Jul 2004]

If this information is useful, please help other people find it:
Share via:

John Todd

2004-Jul-13 20:47 UTC

[Asterisk-Users] SIP authentication bug with insecure= lines?

[wrapping disabled to allow for easier review]

Yet another SIP authentication problem.

I have SER running, and passing calls to a PRI-enabled Asterisk server from a
large range of Media Terminal Adapters, and a few other Asterisk systems set up
as "clients".  I have this PRI-enabled Asterisk server functioning as
a very simple media gateway to hand off my toll-free calls to a PRI - this is a
one-way configuration (calls go to the PRI-enabled Asterisk server but don't
originate _from_ that machine.)  I have apparently hit a very strangely shaped
brick wall with authentication requests and the actual characters inside the
request string - numeric characters seem to cause problems, while alpha
characters do not.  I'm running CVS-HEAD-07/13/04-21:34:00.

Here's the definition of my SER proxy in sip.conf:

[ser-to-tollfree]
type=peer
insecure=yes
host=128.151.224.35
context=from-proxy1
secret=cracksmokingpassword

In the first two examples I show below, things work great.  The first query is
(AsteriskPBX -> SER -> AsteriskPRI) and seems to work fine; my calls go
through, no problem.  The second query is (MTA -> SER -> AsteriskPRI) and
also works fine - no problems.  Note the address of record - it's
"JohnTodd" in the second working example.  The third example is from
the exact same MTA, with the only change being that I have altered the address
of record to be "13012221111" instead of "JohnTodd", which
is the phone number of the device.  For some inexplicable reason, Asterisk wants
to authenticate the call if I have a number inside the quotes, despite my
"insecure=very" statement on the peer definition.  There are
apparently _no_ other reasons for this authentication request.  My call fails,
since I don't have authentication set up in this environment.  I have now
tested this back and forth half a dozen times to make sure I'm not going
crazy, and it does seem to be the contents inside the quotes that is causing the
"407 Proxy Authentication Required" messages to be produced.

I suspect this is a bug in Asterisk, but I know that the "insecure="
model is very touchy.  Can anyone shed some light on this before I open a
ticket?


{this is a packet capture of the typical flow of examples #1 and #2, which work
correctly}
[root@app1 asterisk]# tethereal port 5060
Capturing on eth0
  0.000000 128.151.224.35 -> 128.151.224.11 SIP/SDP Request: INVITE
sip:18005551212@128.151.224.11;user=phone, with session description
  0.000439 128.151.224.11 -> 128.151.224.35 SIP Status: 100 Trying
  0.001085 128.151.224.11 -> 128.151.224.35 SIP Status: 180 Ringing
  1.980925 128.151.224.11 -> 128.151.224.35 SIP/SDP Status: 200 OK, with
session description
  2.071965 128.151.224.35 -> 128.151.224.11 SIP Request: ACK
sip:18005551212@128.151.224.11
[call completes normally through Asterisk, to PRI and to PSTN]
  9.042939 128.151.224.35 -> 128.151.224.11 SIP Request: BYE
sip:18005551212@128.151.224.11
  9.043038 128.151.224.11 -> 128.151.224.35 SIP Status: 200 OK
[root@app1 asterisk]# 


Example #1: works (AsteriskPBX -> SER -> AsteriskPRI)
    Message Header
        Via: SIP/2.0/UDP 128.151.224.35:5061
        To: 18005551212<sip:18005551212@128.151.224.35>
        From: "19544342000"
<sip:19544342000@128.151.224.35:5061>;tag=fa103954da5f640e9acb74f156cc0d02
            SIP from address: "19544342000"
<sip:19544342000@128.151.224.35:5061>
            SIP tag: fa103954da5f640e9acb74f156cc0d02
        Date: Wed, 14 Jul 2004 03:10:35 GMT
        Call-ID: 696099192a69d2131ba9558512682f09@38.33.33.19
        cisco-GUID: 2771289936-1289311857-2561443184-602587443
        CSeq: 1 INVITE
        Max-Forwards: 10
        Contact: <sip:19544342000@128.151.224.35:5061>
        Allow: INVITE,ACK,CANCEL,OPTIONS,BYE,REFER
        User-Agent: SER-0.8.12
        Content-Type: application/sdp
        Content-Length: 237

Example #2: works (MTA -> SER -> AsteriskPRI):
    Message Header
        Via: SIP/2.0/UDP 128.151.224.35:5061
        To: 18005551212<sip:18005551212@128.151.224.35>
        From: "JohnTodd"
<sip:JohnTodd@128.151.224.35:5061>;tag=711177a4e5109d504bfb492b0e7d9368
            SIP from address: "JohnTodd"
<sip:JohnTodd@128.151.224.35:5061>
            SIP tag: 711177a4e5109d504bfb492b0e7d9368
        Call-ID: 2090d5b597dad5008f1ec713f24bf8ae@10.10.29.252
        cisco-GUID: 903578249-3900514380-3966096528-3148672395
        CSeq: 1 INVITE
        Max-Forwards: 69
        Contact: <sip:JohnTodd@128.151.224.35:5061>
        Accept: application/sdp
        Allow: INVITE,ACK,OPTIONS,CANCEL,BYE,REFER
        Supported: timer,replaces
        User-Agent: SER-0.8.12
        Content-Type: application/sdp
        Content-Length: 335


Now, if I modify my contact information to be a phone number (as it
"should" be, in my model) then this is what I get:

[root@app1 asterisk]# tethereal port 5060
Capturing on eth0
  0.000000 128.151.224.35 -> 128.151.224.11 SIP/SDP Request: INVITE
sip:18005551212@128.151.224.11;user=phone, with session description
  0.000547 128.151.224.11 -> 128.151.224.35 SIP Status: 407 Proxy
Authentication Required
  0.004623 128.151.224.35 -> 128.151.224.11 SIP Request: ACK
sip:18005551212@128.151.224.11;user=phone
  0.005122 128.151.224.35 -> 128.151.224.11 SIP/SDP Request: INVITE
sip:18005551212@128.151.224.11;user=phone, with session description
  0.005481 128.151.224.11 -> 128.151.224.35 SIP Status: 403 Forbidden
  0.014618 128.151.224.35 -> 128.151.224.11 SIP Request: ACK
sip:18005551212@128.151.224.11;user=phone
[root@app1 asterisk]# 

and I get this on the console:

Jul 13 23:21:20 NOTICE[1133742896]: chan_sip.c:6902 handle_request: Failed to
authenticate user "13012221111"
<sip:13012221111@128.151.224.35:5061>;tag=89a3f4007f5078775e903f736a1410f9

Example #2: broken (MTA -> SER -> AsteriskPRI):
    Message Header
        Via: SIP/2.0/UDP 128.151.224.35:5061
        To: 18005551212<sip:18005551212@128.151.224.35>
        From: "13012221111"
<sip:13012221111@128.151.224.35:5061>;tag=46710ecadb4d1dd027f2cc4cf09546b4
            SIP from address: "13012221111"
<sip:13012221111@128.151.224.35:5061>
            SIP tag: 46710ecadb4d1dd027f2cc4cf09546b4
        Call-ID: 7aad8af6e3a695b73a32ca8b2945a1d6@10.10.29.252
        cisco-GUID: 2766138914-2181086183-3044107678-890207647
        CSeq: 1 INVITE
        Max-Forwards: 69
        Contact: <sip:13012221111@128.151.224.35:5061>
        Accept: application/sdp
        Allow: INVITE,ACK,OPTIONS,CANCEL,BYE,REFER
        Supported: timer,replaces
        User-Agent: SER-0.8.12
        Content-Type: application/sdp
        Content-Length: 340


Sleep?  What sleep?!

JT

Andres

2004-Jul-14 15:27 UTC

head link

[Asterisk-Users] SIP authentication bug with insecure= lines?

> wall with authentication requests and the actual characters inside the
request string - numeric characters seem to cause problems, while alpha
characters do not.  I'm running CVS-HEAD-07/13/04-21:34:00.
>
>Here's the definition of my SER proxy in sip.conf:
>
>[ser-to-tollfree]
>type=peer
>insecure=yes
>host=128.151.224.35
>context=from-proxy1
>secret=cracksmokingpassword
>
>
>  
>Hi John,

We also had related problems a while ago.  What fixed it for us whas 
"insecure=very".  Give it a try and see if it helps.

-- 
Andres
Network Admin
http://www.telesip.net

Seemingly Similar Threads

Search for more apparently analagous threads

asterisk users - Jul 2004 - SIP authentication bug with insecure= lines?

[Asterisk-Users] SIP authentication bug with insecure= lines?

[Asterisk-Users] SIP authentication bug with insecure= lines?

Seemingly Similar Threads