asterisk users - Oct 2020 - chan_sip doesn't authenticate on INVITE from a Dial() command

Hi.

I'm trying to get Asterisk 13 to authenticate when it sends an INVITE, and
for
some reason it's simply not doing it.

I've even resorted to reading the source code to try and work out what
I'm
doing wrong...

In channels/chan_sip.c I find:

 * SIP Dial string syntax:
 *     SIP/devicename
 * or SIP/username at domain (SIP uri)
 * or SIP/username[:password[:md5secret[:authname[:transport]]]]@host[:port]
 * or SIP/devicename/extension
 * or SIP/devicename/extension/IPorHost
 * or SIP/username at domain//IPorHost
 * and there is an optional [!dnid] argument you can append to alter the
 * To: header.

(Note: I don't think I have ever seen that optional "!dnid"
argument
documented anywhere...?)

So, the version with the username and password looks to me like what I want...

Dial(SIP/${SIPuser}:${SIPpass}@${SIPhost})  or else
Dial(SIP/${SIPuser}:${SIPpass}@${SIPhost}!${SIPdial})

would seem to be what I need (I need to authenticate to SIPhost with the 
credentials SIPuser and SIPpass and I want to dial on to SIPdial).

However, doing this results in the NOTICE message:

chan_sip.c:23862 handle_response_invite: Failed to authenticate on INVITE to 
'"Antony Stone" <sip:Polycom650 at
198.51.100.29>;tag=as6625b0b4'

The first thing which puzzles me about this is that 198.51.100.29 is the IP 
address of the telephone I dialled *in* to the context with in order to cause 
the Dial() command to get processed (and Polycom650 is indeed the username of 
the telephone).

This has nothing at all to do with the username and password I'm trying to 
authenticate with at the remote server.

If I do a packet capture on this machine to show what it's actually sending 
out to SIPhost, I see three packets:

1 0.000000000  192.0.2.29 → 203.0.113.56 SIP/SDP 960 Request: INVITE 
sip:9411 at the.remote.ser.ver

2 0.007364024 203.0.113.56 → 192.0.2.29  SIP 558 Status: 401 Unauthorized

3 0.007552844  192.0.2.29 → 203.0.113.56 SIP 485 Request: ACK 
sip:9411 at the.remote.ser.ver

and that's it.

Asterisk sends the (unauthorised) INVITE, as normal, the remote server 
understandably says "401 Unauthorised" in response, to which I expect
Asterisk
to say "ACK" and then repeat the INVITE with the authentication
included, but
it does nothing after the ACK - it doesn't even try to authenticate.


If I create a stanza in sip.conf such as:

[RemoteServer]
type=peer
fromuser=9411
secret=3ce12cda9d
host=the.remote.ser.ver

and change the Dial() to:

Dial(SIP/RemoteServer/${SIPdial})

then all works, and the packet capture shows me exactly the same as above, but 
then followed by a fourth packet, which is the INVITE complete with 
authentication (which of course works).


However, creating stanzas in sip.conf is not an option for me, since I need to 
be able to dial out using account credentials which are going to be passed in 
to the dialplan as variables from an AMI Originate request (I'm creating
this
dialplan in order to check whether credentials which have been supplied to me 
are in fact correct and allow me to place a call).


So, what am I doing wrong - how can I get Asterisk to actually use the 
credentials which I've supplied in the Dial() command?


Thanks for any help :)


Antony.


-- 
I conclude that there are two ways of constructing a software design: One way 
is to make it so simple that there are _obviously_ no deficiencies, and the 
other way is to make it so complicated that there are no _obvious_ 
deficiencies.

 - C A R Hoare

                                                   Please reply to the list;
                                                         please *don't* CC
me.

On Sunday 25 October 2020 at 16:27:00, Antony Stone wrote:
> Hi.
> 
> I'm trying to get Asterisk 13 to authenticate when it sends an INVITE,
and
> for some reason it's simply not doing it.
I've made a bit of progress - I can now get it to authenticate, although
it's
still not dialling on to the correct number.
> I've even resorted to reading the source code to try and work out what
I'm
> doing wrong...
> 
> In channels/chan_sip.c I find:
> 
>  * SIP Dial string syntax:
>  *     SIP/devicename
>  * or SIP/username at domain (SIP uri)
>  * or
> SIP/username[:password[:md5secret[:authname[:transport]]]]@host[:port] *
> or SIP/devicename/extension
>  * or SIP/devicename/extension/IPorHost
>  * or SIP/username at domain//IPorHost
>  * and there is an optional [!dnid] argument you can append to alter the
>  * To: header.
> 
> (Note: I don't think I have ever seen that optional "!dnid"
argument
> documented anywhere...?)
> 
> So, the version with the username and password looks to me like what I
> want...
> 
> Dial(SIP/${SIPuser}:${SIPpass}@${SIPhost})  or else
> Dial(SIP/${SIPuser}:${SIPpass}@${SIPhost}!${SIPdial})
> 
> would seem to be what I need (I need to authenticate to SIPhost with the
> credentials SIPuser and SIPpass and I want to dial on to SIPdial).
It turns out that the username needs to be included twice (!?), as in:

Dial(SIP/${SIPuser}:${SIPpass}::${SIPuser}@${SIPhost}/${SIPdial})

It seems that both 'username' and 'authname' need to be
supplied...
> If I do a packet capture on this machine to show what it's actually
sending
> out to SIPhost, I see three packets:
> 
> 1 0.000000000  192.0.2.29 → 203.0.113.56 SIP/SDP 960 Request: INVITE
> sip:9411 at the.remote.ser.ver
> 
> 2 0.007364024 203.0.113.56 → 192.0.2.29  SIP 558 Status: 401 Unauthorized
> 
> 3 0.007552844  192.0.2.29 → 203.0.113.56 SIP 485 Request: ACK
> sip:9411 at the.remote.ser.ver
> 
> and that's it.
Now, at least, this is followed up by an attempt to authenticate, however it 
fails.

chan_sip.c:23875 handle_response_invite: Received response:
"Forbidden" from
'"Antony Stone" <sip:Polycom650 at
198.51.100.29>;tag=as6c2ed50a'
> So, what am I doing wrong - how can I get Asterisk to actually use the
> credentials which I've supplied in the Dial() command?
I think my question has now changed to "how can I get Asterisk to use the 
credentials and successfully authenticate, then dial on to the number I
need?"
> Thanks for any help :)
> 
> 
> Antony.
-- 
"It wouldn't be a good idea to talk about him behind his back in front
of
him."

 - murble

                                                   Please reply to the list;
                                                         please *don't* CC
me.

On Sunday 25 October 2020 at 18:43:01, Antony Stone wrote:
> On Sunday 25 October 2020 at 16:27:00, Antony Stone wrote:
> > Hi.
> > 
> > I'm trying to get Asterisk 13 to authenticate when it sends an
INVITE,
> > and for some reason it's simply not doing it.
> 
> I've made a bit of progress - I can now get it to authenticate,
although
> it's still not dialling on to the correct number.
For anyone else trying to do this, I've finally achieved it :)

It turns out not even to need to !dnid option...

Set(CALLERID(num)=${SIPuser})
Dial(SIP/${SIPdial}:${SIPpass}::${SIPuser}@${SIPhost})

The CallerID setting is necessary otherwise Asterisk will send the 
authentication request, but the Dial request will get rejected with a 403 
Forbidden, because the username will be the inbound Caller ID from the 
original call.

I hope this helps others avoid spending as much time as I have trying to work 
this out.  Anyone in charge of Asterisk documentation is very welcome indeed 
to quote this as an example on pages such as 
https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+Application_Dial


Best regards,


Antony.

-- 
There are 10 types of people in the world:
those who understand binary notation,
and those who don't.

                                                   Please reply to the list;
                                                         please *don't* CC
me.