30 May
2006
30 May
'06
5:19 p.m.
I am still digging in this cseq uac problem which I need desperately to solve.
The problem is that the uac_auth function can create credentials for the downstream proxy
after being challenged with a 401 or 407 message - but the downstream proxy (UAS) refuses
this proxy_auth message since openser does not increase the cseq number. Increasing the
cseq number only downstream wouldnt solve the problem since any replies of the downstream
proxy back to the originating UAC would have cseq numbers which are out of sync.
I propose: In order to keep the cseq numbers in sync upstream and downstream one must
generate challenges and proxy-auth responses on both legs of the route - and not only
respond downstream as currently.
So whenever openser receives from the downstream proxy a challenge it must forward this
challenge the originating UAC (if necessary modify the message in such a way that the UAC
is guaranteed to respond). This upstream challenge causes the originating UAC to increase
the cseq. Naturally openser must also increase the cseq number downstream when generating
its own proxy_auth repsonse to the downstream proxy. Whatever credentials UAC produces are
discarted by openser.
The scheme:
1. UAC issues invite which is routed by OS to the downstream proxy (UAS) - as usual.
2. UAS issues challenge 401 or 407 - as usual
3. OS captures challenge on_failure route - as envisaged by UAC module
4. this is new:
a) OS relays the challenge upstream to UAC (would it be necessary to modify it before
doing so ?)
b) OS constructs with uac_auth function correct proxy_auth credentials for UAS, increases
the cseq with some text manipulation function and replies to UAS.
5. UAC responds with (wrong) proxy_auth credentials via OS to UAS
6. OS discards the credential message it received from the UAC - to avoid that the message
reaches UAS.
7. Invite successful or failure : UAS responds with further messages which are routed to
UAC.
Can this scheme work - or am I overlooking something here ?
TIA
Gerry