John Todd
2004-Jul-13 20:47 UTC
[Asterisk-Users] SIP authentication bug with insecure= lines?
[wrapping disabled to allow for easier review] Yet another SIP authentication problem. I have SER running, and passing calls to a PRI-enabled Asterisk server from a large range of Media Terminal Adapters, and a few other Asterisk systems set up as "clients". I have this PRI-enabled Asterisk server functioning as a very simple media gateway to hand off my toll-free calls to a PRI - this is a one-way configuration (calls go to the PRI-enabled Asterisk server but don't originate _from_ that machine.) I have apparently hit a very strangely shaped brick wall with authentication requests and the actual characters inside the request string - numeric characters seem to cause problems, while alpha characters do not. I'm running CVS-HEAD-07/13/04-21:34:00. Here's the definition of my SER proxy in sip.conf: [ser-to-tollfree] type=peer insecure=yes host=128.151.224.35 context=from-proxy1 secret=cracksmokingpassword In the first two examples I show below, things work great. The first query is (AsteriskPBX -> SER -> AsteriskPRI) and seems to work fine; my calls go through, no problem. The second query is (MTA -> SER -> AsteriskPRI) and also works fine - no problems. Note the address of record - it's "JohnTodd" in the second working example. The third example is from the exact same MTA, with the only change being that I have altered the address of record to be "13012221111" instead of "JohnTodd", which is the phone number of the device. For some inexplicable reason, Asterisk wants to authenticate the call if I have a number inside the quotes, despite my "insecure=very" statement on the peer definition. There are apparently _no_ other reasons for this authentication request. My call fails, since I don't have authentication set up in this environment. I have now tested this back and forth half a dozen times to make sure I'm not going crazy, and it does seem to be the contents inside the quotes that is causing the "407 Proxy Authentication Required" messages to be produced. I suspect this is a bug in Asterisk, but I know that the "insecure=" model is very touchy. Can anyone shed some light on this before I open a ticket? {this is a packet capture of the typical flow of examples #1 and #2, which work correctly} [root@app1 asterisk]# tethereal port 5060 Capturing on eth0 0.000000 128.151.224.35 -> 128.151.224.11 SIP/SDP Request: INVITE sip:18005551212@128.151.224.11;user=phone, with session description 0.000439 128.151.224.11 -> 128.151.224.35 SIP Status: 100 Trying 0.001085 128.151.224.11 -> 128.151.224.35 SIP Status: 180 Ringing 1.980925 128.151.224.11 -> 128.151.224.35 SIP/SDP Status: 200 OK, with session description 2.071965 128.151.224.35 -> 128.151.224.11 SIP Request: ACK sip:18005551212@128.151.224.11 [call completes normally through Asterisk, to PRI and to PSTN] 9.042939 128.151.224.35 -> 128.151.224.11 SIP Request: BYE sip:18005551212@128.151.224.11 9.043038 128.151.224.11 -> 128.151.224.35 SIP Status: 200 OK [root@app1 asterisk]# Example #1: works (AsteriskPBX -> SER -> AsteriskPRI) Message Header Via: SIP/2.0/UDP 128.151.224.35:5061 To: 18005551212<sip:18005551212@128.151.224.35> From: "19544342000" <sip:19544342000@128.151.224.35:5061>;tag=fa103954da5f640e9acb74f156cc0d02 SIP from address: "19544342000" <sip:19544342000@128.151.224.35:5061> SIP tag: fa103954da5f640e9acb74f156cc0d02 Date: Wed, 14 Jul 2004 03:10:35 GMT Call-ID: 696099192a69d2131ba9558512682f09@38.33.33.19 cisco-GUID: 2771289936-1289311857-2561443184-602587443 CSeq: 1 INVITE Max-Forwards: 10 Contact: <sip:19544342000@128.151.224.35:5061> Allow: INVITE,ACK,CANCEL,OPTIONS,BYE,REFER User-Agent: SER-0.8.12 Content-Type: application/sdp Content-Length: 237 Example #2: works (MTA -> SER -> AsteriskPRI): Message Header Via: SIP/2.0/UDP 128.151.224.35:5061 To: 18005551212<sip:18005551212@128.151.224.35> From: "JohnTodd" <sip:JohnTodd@128.151.224.35:5061>;tag=711177a4e5109d504bfb492b0e7d9368 SIP from address: "JohnTodd" <sip:JohnTodd@128.151.224.35:5061> SIP tag: 711177a4e5109d504bfb492b0e7d9368 Call-ID: 2090d5b597dad5008f1ec713f24bf8ae@10.10.29.252 cisco-GUID: 903578249-3900514380-3966096528-3148672395 CSeq: 1 INVITE Max-Forwards: 69 Contact: <sip:JohnTodd@128.151.224.35:5061> Accept: application/sdp Allow: INVITE,ACK,OPTIONS,CANCEL,BYE,REFER Supported: timer,replaces User-Agent: SER-0.8.12 Content-Type: application/sdp Content-Length: 335 Now, if I modify my contact information to be a phone number (as it "should" be, in my model) then this is what I get: [root@app1 asterisk]# tethereal port 5060 Capturing on eth0 0.000000 128.151.224.35 -> 128.151.224.11 SIP/SDP Request: INVITE sip:18005551212@128.151.224.11;user=phone, with session description 0.000547 128.151.224.11 -> 128.151.224.35 SIP Status: 407 Proxy Authentication Required 0.004623 128.151.224.35 -> 128.151.224.11 SIP Request: ACK sip:18005551212@128.151.224.11;user=phone 0.005122 128.151.224.35 -> 128.151.224.11 SIP/SDP Request: INVITE sip:18005551212@128.151.224.11;user=phone, with session description 0.005481 128.151.224.11 -> 128.151.224.35 SIP Status: 403 Forbidden 0.014618 128.151.224.35 -> 128.151.224.11 SIP Request: ACK sip:18005551212@128.151.224.11;user=phone [root@app1 asterisk]# and I get this on the console: Jul 13 23:21:20 NOTICE[1133742896]: chan_sip.c:6902 handle_request: Failed to authenticate user "13012221111" <sip:13012221111@128.151.224.35:5061>;tag=89a3f4007f5078775e903f736a1410f9 Example #2: broken (MTA -> SER -> AsteriskPRI): Message Header Via: SIP/2.0/UDP 128.151.224.35:5061 To: 18005551212<sip:18005551212@128.151.224.35> From: "13012221111" <sip:13012221111@128.151.224.35:5061>;tag=46710ecadb4d1dd027f2cc4cf09546b4 SIP from address: "13012221111" <sip:13012221111@128.151.224.35:5061> SIP tag: 46710ecadb4d1dd027f2cc4cf09546b4 Call-ID: 7aad8af6e3a695b73a32ca8b2945a1d6@10.10.29.252 cisco-GUID: 2766138914-2181086183-3044107678-890207647 CSeq: 1 INVITE Max-Forwards: 69 Contact: <sip:13012221111@128.151.224.35:5061> Accept: application/sdp Allow: INVITE,ACK,OPTIONS,CANCEL,BYE,REFER Supported: timer,replaces User-Agent: SER-0.8.12 Content-Type: application/sdp Content-Length: 340 Sleep? What sleep?! JT
Andres
2004-Jul-14 15:27 UTC
[Asterisk-Users] SIP authentication bug with insecure= lines?
> wall with authentication requests and the actual characters inside the request string - numeric characters seem to cause problems, while alpha characters do not. I'm running CVS-HEAD-07/13/04-21:34:00. > >Here's the definition of my SER proxy in sip.conf: > >[ser-to-tollfree] >type=peer >insecure=yes >host=128.151.224.35 >context=from-proxy1 >secret=cracksmokingpassword > > > >Hi John, We also had related problems a while ago. What fixed it for us whas "insecure=very". Give it a try and see if it helps. -- Andres Network Admin http://www.telesip.net