25 Apr
2008
25 Apr
'08
6:18 a.m.
I passed the domain string as first parameter in proxy_authorize (also
in REGISTER's www_authorize in a separate test) - but I still get Proxy
Auth Failed.
Getting the same result, two copies of digest response are being sent
from X-Lite. OpenSER (most likely) denying Auth based on the Digest
issued for Asterisk.
Proxy-Authorization: Digest
username="1274229212",realm="asterisk",nonce="1780f1c0",uri="sip:6099999999999@sip.dummydomain",response="bb7a713ee1d85608390ec8adbcc6bda4",algorithm=MD5.
Proxy-Authorization: Digest
username="1274229212",realm="sip.dummydomain",nonce="48114cd64a57df739fc9d6131eb3057c3afc3eac",uri="sip:6099999999999@sip.dummydomain",response="89a293207ff00c3bf2d3ec483aa0838d",algo
rithm=MD5.
Iñaki Baz Castillo wrote:
El Viernes, 25 de Abril de 2008, Ash Rah escribió:
Hi,
On initial INVITEs, both OpenSER and Asterisk send separate nonce and
X-Lite then sends back two different digests in a single following INVITE :
Proxy-Authorization: Digest
username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848
484@sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorit
hm=MD5.
Proxy-Authorization: Digest
username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f
977cae40a747d26f7e9c5f",uri="sip:6048484848484@sip.dummydomain.com",response
="361700cce632c00ff70ede5e5126c6ac",algo
The first one is for asterisk, (realm="asterisk") and the second one is
for OpenSER. But unfortunately OpenSER probably examines the first
digest which causes failed Proxy Authorization.
Is it possible to instruct OpenSER to inspect both of the digests before
it makes a decision?
Yes, but you must specify it, try this:
if (!proxy_authorize("sip.dummydomain.com","subscriber")) {
proxy_challenge("","0");
exit;
}
Do you understand? if "proxy_authorize" has an empty first parameter then
OpenSer tries to authenticate against a realm paramenter that the client
sends in the first "Proxy-Authorization" header.
Anyway I've never tryed it so I'm not sure but hope theorically it should work
XD
Regards.