16 Jun
2010
16 Jun
'10
6:15 a.m.
Greetings,
When I use uac_auth() in a failure route in this manner:
if(t_check_status("407")) {
uac_auth();
append_branch();
t_relay();
}
or the reverse order vis-a-vis uac_auth() and append_branch(), I do not
see any digest authentication headers being inserted into the
retransmitted INVITE request. Also, CSeq is not being incremented.
This is Kamailio 3.0.2.
Please advise.
--
Alex Balashov - Principal
Evariste Systems LLC
1170 Peachtree Street
12th Floor, Suite 1200
Atlanta, GA 30309
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
16 Jun
16 Jun
11:27 a.m.
2010/6/16 Alex Balashov <abalashov(a)evaristesys.com>om>:
Also, CSeq is not being incremented.
Why do you want CSeq being incremented by the proxy? Note that the UAS
still knows nothing about the request until it receives the first
INVITE (with credentials) from he proxy.
--
Iñaki Baz Castillo
<ibc(a)aliax.net>
11:32 a.m.
On 06/16/2010 04:27 AM, Iñaki Baz Castillo wrote:
2010/6/16 Alex
Balashov<abalashov(a)evaristesys.com>om>:
Am I misreading 3261 Section 22.3?
If a proxy were to resubmit a request adding a
Proxy-Authorization header field value, it would need
to increment the CSeq in the new request. However, this
would cause the UAC that submitted the original request to
discard a response from the UAS, as the CSeq value would
be different.
Since the proxy is the authentication actor, I assumed this is how it
should be done. On the other hand, if the purpose of the UAC module
is to "spoof" a challenge response as if it really came from the UAC,
I suppose this is not appropriate.
Either way, regardless of CSeq, the Proxy-Authorization header is not
being added to the resent request. Unless I am doing something wrong,
I believe uac_auth() doesn't work.
--
Alex Balashov - Principal
Evariste Systems LLC
1170 Peachtree Street
12th Floor, Suite 1200
Atlanta, GA 30309
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
Also, CSeq is not being incremented.
Why do you want CSeq being incremented by the proxy? Note that the UAS
still knows nothing about the request until it receives the first
INVITE (with credentials) from he proxy. 
11:56 a.m.
On 6/16/10 10:32 AM, Alex Balashov wrote:
On 06/16/2010 04:27 AM, Iñaki Baz Castillo wrote:
do you get any error message? The only case
when is printed a dbg
message is when no credentials for the realm in challenge are found.
Test to see if uac_auth() returns false or true.
CSeq is not incremented is a know limitation:
http://kamailio.org/docs/modules/stable/modules_k/uac.html#id2899892
Tracking CSeq will require getting into b2bua-like since there can be
many auth requests.
Cheers,
Daniel
--
Daniel-Constantin Mierla
Asterisk SIP Router Masterclass
Malaga, Spain - July 5-9, 2010
http://www.asipto.com/
2010/6/16 Alex
Balashov<abalashov(a)evaristesys.com>om>:
Am I misreading 3261 Section 22.3?
If a proxy were to resubmit a request adding a
Proxy-Authorization header field value, it would need
to increment the CSeq in the new request. However, this
would cause the UAC that submitted the original request to
discard a response from the UAS, as the CSeq value would
be different.
Since the proxy is the authentication actor, I assumed this is how it
should be done. On the other hand, if the purpose of the UAC module
is to "spoof" a challenge response as if it really came from the UAC,
I suppose this is not appropriate.
Either way, regardless of CSeq, the Proxy-Authorization header is not
being added to the resent request. Unless I am doing something wrong,
I believe uac_auth() doesn't work. Also, CSeq is not being incremented.
Why do you want CSeq being incremented by the proxy? Note that the UAS
still knows nothing about the request until it receives the first
INVITE (with credentials) from he proxy.
11:23 p.m.
On 06/16/2010 04:56 AM, Daniel-Constantin Mierla wrote:
do you get any error message? The only case when is
printed a dbg
message is when no credentials for the realm in challenge are found.
Test to see if uac_auth() returns false or true.
There was a realm mismatch; I corrected this and Proxy-Authorization
header is now being added. Thanks.
CSeq is not incremented is a know limitation:
http://kamailio.org/docs/modules/stable/modules_k/uac.html#id2899892
Tracking CSeq will require getting into b2bua-like since there can be
many auth requests.
Doesn't this limitation make uac_auth() essentially useless, though?
If the CSeq of the second INVITE is the same as the first, it will be
dampened as a retransmission, which is happening with all 3 provider
gateways (I suspect) that I have tested this with. They work fine if
some other UAC like Asterisk increments CSeq as normal when answering
proxy challenges.
Any suggestions for what to do?
--
Alex Balashov - Principal
Evariste Systems LLC
1170 Peachtree Street
12th Floor, Suite 1200
Atlanta, GA 30309
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
12:45 p.m.
2010/6/16 Alex Balashov <abalashov(a)evaristesys.com>om>:
Am I misreading 3261 Section 22.3?
If a proxy were to resubmit a request adding a
Proxy-Authorization header field value, it would need
to increment the CSeq in the new request. However, this
would cause the UAC that submitted the original request to
discard a response from the UAS, as the CSeq value would
be different.
I didn't remember such section in RFC 3261. IMHO it's really a dirty
hack and I cannot understand how it can be published in the standard.
Since the proxy is the authentication actor, I assumed
this is how it should
be done. On the other hand, if the purpose of the UAC module is to "spoof"
a challenge response as if it really came from the UAC, I suppose this is
not appropriate.
That's exactly what I meant :)
--
Iñaki Baz Castillo
<ibc(a)aliax.net>
5273
days inactive
5273
days old
5 comments
3 participants
participants (3)
-
Alex Balashov -
Daniel-Constantin Mierla -
Iñaki Baz Castillo