Greetings,
When I use uac_auth() in a failure route in this manner:
if(t_check_status("407")) { uac_auth(); append_branch(); t_relay(); }
or the reverse order vis-a-vis uac_auth() and append_branch(), I do not see any digest authentication headers being inserted into the retransmitted INVITE request. Also, CSeq is not being incremented.
This is Kamailio 3.0.2.
Please advise.
2010/6/16 Alex Balashov abalashov@evaristesys.com:
Also, CSeq is not being incremented.
Why do you want CSeq being incremented by the proxy? Note that the UAS still knows nothing about the request until it receives the first INVITE (with credentials) from he proxy.
On 06/16/2010 04:27 AM, Iñaki Baz Castillo wrote:
2010/6/16 Alex Balashovabalashov@evaristesys.com:
Also, CSeq is not being incremented.
Why do you want CSeq being incremented by the proxy? Note that the UAS still knows nothing about the request until it receives the first INVITE (with credentials) from he proxy.
Am I misreading 3261 Section 22.3?
If a proxy were to resubmit a request adding a Proxy-Authorization header field value, it would need to increment the CSeq in the new request. However, this would cause the UAC that submitted the original request to discard a response from the UAS, as the CSeq value would be different.
Since the proxy is the authentication actor, I assumed this is how it should be done. On the other hand, if the purpose of the UAC module is to "spoof" a challenge response as if it really came from the UAC, I suppose this is not appropriate.
Either way, regardless of CSeq, the Proxy-Authorization header is not being added to the resent request. Unless I am doing something wrong, I believe uac_auth() doesn't work.
On 6/16/10 10:32 AM, Alex Balashov wrote:
On 06/16/2010 04:27 AM, Iñaki Baz Castillo wrote:
2010/6/16 Alex Balashovabalashov@evaristesys.com:
Also, CSeq is not being incremented.
Why do you want CSeq being incremented by the proxy? Note that the UAS still knows nothing about the request until it receives the first INVITE (with credentials) from he proxy.
Am I misreading 3261 Section 22.3?
If a proxy were to resubmit a request adding a Proxy-Authorization header field value, it would need to increment the CSeq in the new request. However, this would cause the UAC that submitted the original request to discard a response from the UAS, as the CSeq value would be different.Since the proxy is the authentication actor, I assumed this is how it should be done. On the other hand, if the purpose of the UAC module is to "spoof" a challenge response as if it really came from the UAC, I suppose this is not appropriate.
Either way, regardless of CSeq, the Proxy-Authorization header is not being added to the resent request. Unless I am doing something wrong, I believe uac_auth() doesn't work.
do you get any error message? The only case when is printed a dbg message is when no credentials for the realm in challenge are found. Test to see if uac_auth() returns false or true.
CSeq is not incremented is a know limitation: http://kamailio.org/docs/modules/stable/modules_k/uac.html#id2899892
Tracking CSeq will require getting into b2bua-like since there can be many auth requests.
Cheers, Daniel
On 06/16/2010 04:56 AM, Daniel-Constantin Mierla wrote:
do you get any error message? The only case when is printed a dbg message is when no credentials for the realm in challenge are found. Test to see if uac_auth() returns false or true.
There was a realm mismatch; I corrected this and Proxy-Authorization header is now being added. Thanks.
CSeq is not incremented is a know limitation: http://kamailio.org/docs/modules/stable/modules_k/uac.html#id2899892
Tracking CSeq will require getting into b2bua-like since there can be many auth requests.
Doesn't this limitation make uac_auth() essentially useless, though? If the CSeq of the second INVITE is the same as the first, it will be dampened as a retransmission, which is happening with all 3 provider gateways (I suspect) that I have tested this with. They work fine if some other UAC like Asterisk increments CSeq as normal when answering proxy challenges.
Any suggestions for what to do?
2010/6/16 Alex Balashov abalashov@evaristesys.com:
Am I misreading 3261 Section 22.3?
If a proxy were to resubmit a request adding a Proxy-Authorization header field value, it would need to increment the CSeq in the new request. However, this would cause the UAC that submitted the original request to discard a response from the UAS, as the CSeq value would be different.
I didn't remember such section in RFC 3261. IMHO it's really a dirty hack and I cannot understand how it can be published in the standard.
Since the proxy is the authentication actor, I assumed this is how it should be done. On the other hand, if the purpose of the UAC module is to "spoof" a challenge response as if it really came from the UAC, I suppose this is not appropriate.
That's exactly what I meant :)
-
Alex Balashov -
Daniel-Constantin Mierla -
Iñaki Baz Castillo