26 Jan
2022
26 Jan
'22
6:54 p.m.
Hi there,
I have a weird issue with kamailio (latest docker
image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I
check if I have an Authorization header.
Since I don't have an Authorization (first message), I
use "www_challenge()".
This replies to the SIP phone, and then the SIP phone sends a new REGISTER
with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an
HTTP endpoint if this user is allowed to connect and check the password
using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy
and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone.
The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic?
Is pausing/resuming to use the async http client is allowed if I'm handling
a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
27 Jan
27 Jan
6:15 p.m.
Hi,
I'm running a scenario very similar to yours with kamailio 5.5.3 and I have
no issue.
The only difference with your scenario is that I don't do the challenge
with the client, I always reply 403 and release the transaction after.
I didn't have the time to replicate your exact scenario but it could be
worth trying to add a t_release() after the www_challenge().
Cheers,
Federico
On Thu, Jan 27, 2022 at 8:04 AM Cyril Ramière <cyril.ramiere(a)gmail.com>
wrote:
Hi there,
I have a weird issue with kamailio (latest docker
image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I
check if I have an Authorization header.
Since I don't have an Authorization (first message), I
use "www_challenge()".
This replies to the SIP phone, and then the SIP phone sends a new REGISTER
with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an
HTTP endpoint if this user is allowed to connect and check the password
using http_async_query().
The problem is that when the transaction resumes, the tmx module is
unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone.
The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic?
Is pausing/resuming to use the async http client is allowed if I'm
handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
31 Jan
31 Jan
12:39 p.m.
Hi Frederico,
(sorry for the double posting today, despite telling gmail to not put
messages from this mailing il the spam folder, it has done it again :/ )
Thanks for your reply, I tried your suggestion and sadly it has not worked,
I still have the same error.
Upon searching and digging through the logs I still can't understand why
after the http client is doing it's request, the debugger shows that we are
not in "request" route but in "failure" route instead, I don't
know if this
is a consequence or a symptom of the issue.
I triple checked my mock api, it returns a http 200 and sees the request
made by the http client.
Cheers
Le jeu. 27 janv. 2022 à 16:17, Federico Cabiddu <federico.cabiddu(a)gmail.com>
a écrit :
Hi,
I'm running a scenario very similar to yours with kamailio 5.5.3 and I
have no issue.
The only difference with your scenario is that I don't do the challenge
with the client, I always reply 403 and release the transaction after.
I didn't have the time to replicate your exact scenario but it could be
worth trying to add a t_release() after the www_challenge().
Cheers,
Federico
On Thu, Jan 27, 2022 at 8:04 AM Cyril Ramière <cyril.ramiere(a)gmail.com>
wrote:
Hi there,
I have a weird issue with kamailio (latest docker
image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I
check if I have an Authorization header.
Since I don't have an Authorization (first message), I
use "www_challenge()".
This replies to the SIP phone, and then the SIP phone sends a new
REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an
HTTP endpoint if this user is allowed to connect and check the password
using http_async_query().
The problem is that when the transaction resumes, the tmx module is
unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone.
The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic?
Is pausing/resuming to use the async http client is allowed if I'm
handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
8:55 p.m.
Hi Cyril,
it is normal that the callback route is considered a failure route, this is
the internal behavior of transaction suspension/resume as implemented by
the tm module.
Are you sure that there is no other SIP message interfering with your flow?
Could you set kamailio loglevel to 3 to see what happens?
Cheers,
Federico
On Mon, Jan 31, 2022 at 10:41 AM Cyril Ramière <cyril.ramiere(a)gmail.com>
wrote:
Hi Frederico,
(sorry for the double posting today, despite telling gmail to not put
messages from this mailing il the spam folder, it has done it again :/ )
Thanks for your reply, I tried your suggestion and sadly it has
not worked, I still have the same error.
Upon searching and digging through the logs I still can't understand why
after the http client is doing it's request, the debugger shows that we are
not in "request" route but in "failure" route instead, I don't
know if this
is a consequence or a symptom of the issue.
I triple checked my mock api, it returns a http 200 and sees the request
made by the http client.
Cheers
Le jeu. 27 janv. 2022 à 16:17, Federico Cabiddu <
federico.cabiddu(a)gmail.com> a écrit :
Hi,
I'm running a scenario very similar to yours with kamailio 5.5.3 and I
have no issue.
The only difference with your scenario is that I don't do the challenge
with the client, I always reply 403 and release the transaction after.
I didn't have the time to replicate your exact scenario but it could be
worth trying to add a t_release() after the www_challenge().
Cheers,
Federico
On Thu, Jan 27, 2022 at 8:04 AM Cyril Ramière <cyril.ramiere(a)gmail.com>
wrote:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi there,
I have a weird issue with kamailio (latest docker
image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I
check if I have an Authorization header.
Since I don't have an Authorization (first message), I
use "www_challenge()".
This replies to the SIP phone, and then the SIP phone sends a new
REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an
HTTP endpoint if this user is allowed to connect and check the password
using http_async_query().
The problem is that when the transaction resumes, the tmx module is
unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone.
The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic?
Is pausing/resuming to use the async http client is allowed if I'm
handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
1 Feb
1 Feb
12:53 p.m.
Hi Federico,
Ok, I wasn't aware of this detail about suspend/resume implementation,
thanks for pointing that out.
I made a test with debug level 3 as requested, please find the raw logs
here : https://pastebin.com/y6kZiweh
I don't think there are other SIP messages interfering with the flow, I
have TCP checks (load balancer) running but nothing else is doing SIP
requests.
As for the client, it sends a REGISTER request, then we reply 401 , then
the client sends a new REGISTER with challenge, and we send 500 server
error occurred (not me but likely the TMX module).
I'm doing my best trying to understand what went wrong but I'm hitting a
wall, thanks for your help :)
Cyril
Le lun. 31 janv. 2022 à 18:57, Federico Cabiddu <federico.cabiddu(a)gmail.com>
a écrit :
Hi Cyril,
it is normal that the callback route is considered a failure route, this
is the internal behavior of transaction suspension/resume as implemented by
the tm module.
Are you sure that there is no other SIP message interfering with your flow?
Could you set kamailio loglevel to 3 to see what happens?
Cheers,
Federico
On Mon, Jan 31, 2022 at 10:41 AM Cyril Ramière <cyril.ramiere(a)gmail.com>
wrote:
Hi Frederico,
(sorry for the double posting today, despite telling gmail to not put
messages from this mailing il the spam folder, it has done it again :/ )
Thanks for your reply, I tried your suggestion and sadly it has
not worked, I still have the same error.
Upon searching and digging through the logs I still can't understand why
after the http client is doing it's request, the debugger shows that we are
not in "request" route but in "failure" route instead, I don't
know if this
is a consequence or a symptom of the issue.
I triple checked my mock api, it returns a http 200 and sees the request
made by the http client.
Cheers
Le jeu. 27 janv. 2022 à 16:17, Federico Cabiddu <
federico.cabiddu(a)gmail.com> a écrit :
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi,
I'm running a scenario very similar to yours with kamailio 5.5.3 and I
have no issue.
The only difference with your scenario is that I don't do the challenge
with the client, I always reply 403 and release the transaction after.
I didn't have the time to replicate your exact scenario but it could be
worth trying to add a t_release() after the www_challenge().
Cheers,
Federico
On Thu, Jan 27, 2022 at 8:04 AM Cyril Ramière <cyril.ramiere(a)gmail.com>
wrote:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi there,
I have a weird issue with kamailio (latest docker
image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I
check if I have an Authorization header.
Since I don't have an Authorization (first message), I
use "www_challenge()".
This replies to the SIP phone, and then the SIP phone sends a new
REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask
an HTTP endpoint if this user is allowed to connect and check the password
using http_async_query().
The problem is that when the transaction resumes, the tmx module is
unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone.
The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic?
Is pausing/resuming to use the async http client is allowed if I'm
handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only
to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
2 Feb
2 Feb
9:48 p.m.
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière <cyril.ramiere(a)gmail.com> schrieb am Do., 27. Jan. 2022,
08:04:
Hi there,
I have a weird issue with kamailio (latest docker
image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I
check if I have an Authorization header.
Since I don't have an Authorization (first message), I
use "www_challenge()".
This replies to the SIP phone, and then the SIP phone sends a new REGISTER
with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an
HTTP endpoint if this user is allowed to connect and check the password
using http_async_query().
The problem is that when the transaction resumes, the tmx module is
unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone.
The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic?
Is pausing/resuming to use the async http client is allowed if I'm
handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
3 Feb
3 Feb
1:58 a.m.
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the
clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the
login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if
this user/password is ok to connect and allow/deny based on the reply and
informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when
handling the REGISTER, sadly for me, it doesn't work and I still can't
figure why.
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann <khorsmann(a)gmail.com> a
écrit :
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière <cyril.ramiere(a)gmail.com> schrieb am Do., 27. Jan. 2022,
08:04:
Hi there,
I have a weird issue with kamailio (latest docker
image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I
check if I have an Authorization header.
Since I don't have an Authorization (first message), I
use "www_challenge()".
This replies to the SIP phone, and then the SIP phone sends a new
REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an
HTTP endpoint if this user is allowed to connect and check the password
using http_async_query().
The problem is that when the transaction resumes, the tmx module is
unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone.
The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic?
Is pausing/resuming to use the async http client is allowed if I'm
handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
9:56 a.m.
On 2 Feb 2022, at 23:58, Cyril Ramière
<cyril.ramiere(a)gmail.com> wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the clients are
"dumb" sip phones.
The goal of my implementation is to use our application API to handle the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if this
user/password is ok to connect and allow/deny based on the reply and informations provided
by the API.
Everything is relying on the fact that I can make my HTTP call when handling the
REGISTER, sadly for me, it doesn't work and I still can't figure why.
Try
http_client. I’ve used it a lot of time for authentication. It will block your thread
while waiting for response, but you can handle some of those issues by caching secrets for
a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann <khorsmann(a)gmail.com
<mailto:khorsmann@gmail.com>> a écrit :
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
<https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html>
Cyril Ramière <cyril.ramiere(a)gmail.com <mailto:cyril.ramiere@gmail.com>>
schrieb am Do., 27. Jan. 2022, 08:04:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and
http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have
an Authorization header.
Since I don't have an Authorization (first message), I use
"www_challenge()".
This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the
correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if
this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws
this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a
final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone.
The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic?
Is pausing/resuming to use the async http client is allowed if I'm handling a
REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar
<http://xxx.xxx.xxx.xxx:9000/auth?foo=bar>", "AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
11:54 a.m.
Hi Olle,
I prefer not to use it since you rightly pointed out that it will block the
thread during the request.
Since a lot of sip phones will register & interact with kamailio it could
seriously hurt the performance.
I will implement caching for sure regardless of the
async/non-async-non-optimal solution, but I still hope that this issue will
be solved.
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 07:57, Olle E. Johansson <oej(a)edvina.net> a écrit :
On 2 Feb 2022, at 23:58, Cyril Ramière <cyril.ramiere(a)gmail.com> wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the
clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the
login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if
this user/password is ok to connect and allow/deny based on the reply and
informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when
handling the REGISTER, sadly for me, it doesn't work and I still can't
figure why.
Try http_client. I’ve used it a lot of time for authentication. It will
block your thread while waiting for response, but you can handle some of
those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann <khorsmann(a)gmail.com> a
écrit :
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière <cyril.ramiere(a)gmail.com> schrieb am Do., 27. Jan. 2022,
08:04:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi there,
I have a weird issue with kamailio (latest docker
image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I
check if I have an Authorization header.
Since I don't have an Authorization (first message), I
use "www_challenge()".
This replies to the SIP phone, and then the SIP phone sends a new
REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an
HTTP endpoint if this user is allowed to connect and check the password
using http_async_query().
The problem is that when the transaction resumes, the tmx module is
unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone.
The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic?
Is pausing/resuming to use the async http client is allowed if I'm
handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
12:27 p.m.
On 3 Feb 2022, at 09:54, Cyril Ramière
<cyril.ramiere(a)gmail.com> wrote:
Hi Olle,
I prefer not to use it since you rightly pointed out that it will block the thread during
the request
Depends of course of your HTTP server… And the number of UDP/TCP
listeners. It won’t block all listeners.
Since registrations are less time-critical, you could handle the request asynchronously in
a background process and thus not block the listener which would lead to more or less the
same as using http_asynch. Just fire up a large amount of background processes :-)
/O
Since a lot of sip phones will register & interact with kamailio it could seriously
hurt the performance.
I will implement caching for sure regardless of the async/non-async-non-optimal solution,
but I still hope that this issue will be solved.
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 07:57, Olle E. Johansson <oej(a)edvina.net
<mailto:oej@edvina.net>> a écrit :
On 2 Feb 2022, at 23:58, Cyril Ramière
<cyril.ramiere(a)gmail.com <mailto:cyril.ramiere@gmail.com>> wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the clients are
"dumb" sip phones.
The goal of my implementation is to use our application API to handle the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if this
user/password is ok to connect and allow/deny based on the reply and informations provided
by the API.
Everything is relying on the fact that I can make my HTTP call when handling the
REGISTER, sadly for me, it doesn't work and I still can't figure why.
Try
http_client. I’ve used it a lot of time for authentication. It will block your thread
while waiting for response, but you can handle some of those issues by caching secrets for
a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann <khorsmann(a)gmail.com
<mailto:khorsmann@gmail.com>> a écrit :
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
<https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html>
Cyril Ramière <cyril.ramiere(a)gmail.com <mailto:cyril.ramiere@gmail.com>>
schrieb am Do., 27. Jan. 2022, 08:04:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and
http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have
an Authorization header.
Since I don't have an Authorization (first message), I use
"www_challenge()".
This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the
correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if
this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws
this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a
final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone.
The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic?
Is pausing/resuming to use the async http client is allowed if I'm handling a
REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar
<http://xxx.xxx.xxx.xxx:9000/auth?foo=bar>", "AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
1:26 p.m.
You said to handle the registrations inside a background process, how do
you achieve that?
In fact I already tried to use the async framework and it wasn't working
too, got the same error.
Inside my REGISTER handling route I do :
<check for digest, if not provided -> challenge, if provided then go:>
async_task_route("AUTH_DOQUERY");
My AUTH_DOQUERY is:
route[AUTH_DOQUERY]{
xlog("L_NOTICE", "[AUTH_DOQUERY] INIT \n\n");
#I will put the http_client here, but since it is not working there is
no need atm.
route(AUTH_REPLY);
}
And it still manages to produce the same critical error when entering my
AUTH_REPLY route :(
16(23) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
branch (-1) for a final response in MODE_ONFAILURE
Le jeu. 3 févr. 2022 à 10:29, Olle E. Johansson <oej(a)edvina.net> a écrit :
On 3 Feb 2022, at 09:54, Cyril Ramière <cyril.ramiere(a)gmail.com> wrote:
Hi Olle,
I prefer not to use it since you rightly pointed out that it will block
the thread during the request
Depends of course of your HTTP server… And the number of UDP/TCP
listeners. It won’t block all listeners.
Since registrations are less time-critical, you could handle the request
asynchronously in a background process and thus not block the listener
which would lead to more or less the same as using http_asynch. Just fire
up a large amount of background processes :-)
/O
Since a lot of sip phones will register & interact with kamailio it could
seriously hurt the performance.
I will implement caching for sure regardless of the
async/non-async-non-optimal solution, but I still hope that this issue will
be solved.
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 07:57, Olle E. Johansson <oej(a)edvina.net> a écrit :
On 2 Feb 2022, at 23:58, Cyril Ramière <cyril.ramiere(a)gmail.com> wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the
clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the
login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if
this user/password is ok to connect and allow/deny based on the reply and
informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when
handling the REGISTER, sadly for me, it doesn't work and I still can't
figure why.
Try http_client. I’ve used it a lot of time for authentication. It will
block your thread while waiting for response, but you can handle some of
those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann <khorsmann(a)gmail.com> a
écrit :
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière <cyril.ramiere(a)gmail.com> schrieb am Do., 27. Jan. 2022,
08:04:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi there,
I have a weird issue with kamailio (latest docker
image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I
check if I have an Authorization header.
Since I don't have an Authorization (first message), I
use "www_challenge()".
This replies to the SIP phone, and then the SIP phone sends a new
REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask
an HTTP endpoint if this user is allowed to connect and check the password
using http_async_query().
The problem is that when the transaction resumes, the tmx module is
unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone.
The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic?
Is pausing/resuming to use the async http client is allowed if I'm
handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only
to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
1:37 p.m.
I have to admit that even looking at the debug logs I cannot understand
what's going on in your case.
As said I'm running an authentication scenario very similar to yours, being
the challenge the only difference.
What I can suggest to further digging is to reduce your configuration as
much as possible (e.g. I see that you are using topoh) and see if we can
understand better what is causing the issue.
Cheers,
Federico
On Thu, Feb 3, 2022 at 7:58 AM Olle E. Johansson <oej(a)edvina.net> wrote:
On 2 Feb 2022, at 23:58, Cyril Ramière <cyril.ramiere(a)gmail.com> wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the
clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the
login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if
this user/password is ok to connect and allow/deny based on the reply and
informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when
handling the REGISTER, sadly for me, it doesn't work and I still can't
figure why.
Try http_client. I’ve used it a lot of time for authentication. It will
block your thread while waiting for response, but you can handle some of
those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann <khorsmann(a)gmail.com> a
écrit :
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière <cyril.ramiere(a)gmail.com> schrieb am Do., 27. Jan. 2022,
08:04:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi there,
I have a weird issue with kamailio (latest docker
image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I
check if I have an Authorization header.
Since I don't have an Authorization (first message), I
use "www_challenge()".
This replies to the SIP phone, and then the SIP phone sends a new
REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an
HTTP endpoint if this user is allowed to connect and check the password
using http_async_query().
The problem is that when the transaction resumes, the tmx module is
unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone.
The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic?
Is pausing/resuming to use the async http client is allowed if I'm
handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
2:06 p.m.
Okay, so I have done that,
Please find here :
https://zerobin.net/?7743b78716b00c72#Jzmdq+5ZlFfZId+M/hP+52Ih0AMAMNUjeUT1c…
My full config (I redacted some parts like IPs and domains), with the
minimal routing blocks to reproduce and the logs.
If you don't mind checking it, it would be great :)
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 11:39, Federico Cabiddu <federico.cabiddu(a)gmail.com>
a écrit :
I have to admit that even looking at the debug logs I
cannot understand
what's going on in your case.
As said I'm running an authentication scenario very similar to yours,
being the challenge the only difference.
What I can suggest to further digging is to reduce your configuration as
much as possible (e.g. I see that you are using topoh) and see if we can
understand better what is causing the issue.
Cheers,
Federico
On Thu, Feb 3, 2022 at 7:58 AM Olle E. Johansson <oej(a)edvina.net> wrote:
On 2 Feb 2022, at 23:58, Cyril Ramière <cyril.ramiere(a)gmail.com> wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the
clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the
login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if
this user/password is ok to connect and allow/deny based on the reply and
informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when
handling the REGISTER, sadly for me, it doesn't work and I still can't
figure why.
Try http_client. I’ve used it a lot of time for authentication. It will
block your thread while waiting for response, but you can handle some of
those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann <khorsmann(a)gmail.com> a
écrit :
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière <cyril.ramiere(a)gmail.com> schrieb am Do., 27. Jan. 2022,
08:04:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi there,
I have a weird issue with kamailio (latest docker
image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I
check if I have an Authorization header.
Since I don't have an Authorization (first message), I
use "www_challenge()".
This replies to the SIP phone, and then the SIP phone sends a new
REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask
an HTTP endpoint if this user is allowed to connect and check the password
using http_async_query().
The problem is that when the transaction resumes, the tmx module is
unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone.
The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic?
Is pausing/resuming to use the async http client is allowed if I'm
handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only
to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
4 Feb
4 Feb
11:58 a.m.
Hi Cyril,
I tried your script and changing
sl_send_reply("200","OK");
with
send_reply("200","OK") or
t_reply("200","OK");
it works, a 200 OK reply is sent out.
The message
"CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1)
for a final response in MODE_ONFAILURE"
comes from trying, in the xlog call, to access $T(reply_code) where there
is actually no reply code for the transaction (no reply has been
received/generated)
Could you try the following snippet based on http_async_client?
request_route {
xlog("L_NOTICE", "ROOT - New request - M=$rm UAC-IP=$si:$sp
LB-IP=$tcp(c_si):$tcp(c_sp) UA='$ua' ID=$ci\n");
if (is_method("REGISTER")){
xlog("L_NOTICE", "[ROOT] Got REGISTER. method=$rm -
code=$T(reply_code) - Destination=$ru - Origin=[$fU@$si:$sp]\n");
if(!is_present_hf("Authorization")){
xlog("L_INFO","[ROOT::REGISTER] No auth provided, sending
CHALLENGE for $fU ($fu) (FINAL)\n");
www_challenge("$td","1");
exit;
}
else{
xlog("L_INFO","[ROOT::REGISTER] Auth provided, Go to
AUTH_DOQUERY using http_async_client\n");
t_newtran();
http_async_query("http://127.0.0.1:8000/","AUTH_REPLY");
}
}
exit;
}
route[AUTH_REPLY]{
xlog("L_NOTICE", "[AUTH_REPLY]: http_rs=$http_rs\n");
send_reply("200","OK");
exit;
}
(I'm running a simple http server always replying 200 on the loopback
interface)
Cheers,
Federico
On Thu, Feb 3, 2022 at 12:13 PM Cyril Ramière <cyril.ramiere(a)gmail.com>
wrote:
Okay, so I have done that,
Please find here :
https://zerobin.net/?7743b78716b00c72#Jzmdq+5ZlFfZId+M/hP+52Ih0AMAMNUjeUT1c…
My full config (I redacted some parts like IPs and domains), with the
minimal routing blocks to reproduce and the logs.
If you don't mind checking it, it would be great :)
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 11:39, Federico Cabiddu <federico.cabiddu(a)gmail.com>
a écrit :
I have to admit that even looking at the debug
logs I cannot understand
what's going on in your case.
As said I'm running an authentication scenario very similar to yours,
being the challenge the only difference.
What I can suggest to further digging is to reduce your configuration as
much as possible (e.g. I see that you are using topoh) and see if we can
understand better what is causing the issue.
Cheers,
Federico
On Thu, Feb 3, 2022 at 7:58 AM Olle E. Johansson <oej(a)edvina.net> wrote:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On 2 Feb 2022, at 23:58, Cyril Ramière <cyril.ramiere(a)gmail.com> wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the
clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle
the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint
if this user/password is ok to connect and allow/deny based on the reply
and informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when
handling the REGISTER, sadly for me, it doesn't work and I still can't
figure why.
Try http_client. I’ve used it a lot of time for authentication. It will
block your thread while waiting for response, but you can handle some of
those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann <khorsmann(a)gmail.com> a
écrit :
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière <cyril.ramiere(a)gmail.com> schrieb am Do., 27. Jan. 2022,
08:04:
> Hi there,
>
> I have a weird issue with kamailio (latest docker
> image kamailio-ci:5.5.2-alpine) and http_async_client.
>
> Before posting a lot of logs, let me describe what I want to achieve.
>
> I have a Kamailio and a SIP Phone.
>
> The SIP phone sends a REGISTER to kamailio, then in my routing block,
> I check if I have an Authorization header.
>
> Since I don't have an Authorization (first message), I
> use "www_challenge()".
> This replies to the SIP phone, and then the SIP phone sends a new
> REGISTER with the correct Authorization header.
>
> So far so good.
>
> Now, when I get the REGISTER with Authorization header, I want to ask
> an HTTP endpoint if this user is allowed to connect and check the password
> using http_async_query().
>
> The problem is that when the transaction resumes, the tmx module is
> unhappy and throws this error :
>
> 30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
> branch (-1) for a final response in MODE_ONFAILURE
>
> And a 500 error is sent back to the sip phone.
> The AUTH_REPLY route is still called and I can use the $http* values.
>
> Do you see something that I am doing wrong or missing in my logic?
> Is pausing/resuming to use the async http client is allowed if I'm
> handling a REGISTER transaction?
>
> Here's a simplified version of my routing block (not far from reality):
>
> ##### SNIP
>
> request_route{
>
> route(AUTH);
>
>
> route[AUTH]{
>
> if (is_method("REGISTER"){
>
> if(no_auth_header){
>
> www_challenge("$td","1");
>
> exit;
>
> }
>
> else{
>
> t_newtran();
>
> http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
>
> }
>
> }
>
> }
>
>
> route[AUTH_REPLY]{
>
> xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
>
> }
>
>
> }
>
> ##### END SNIP
>
>
> Best regards!
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users(a)lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only
> to the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only
to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
8 Feb
8 Feb
12:30 p.m.
Hi Federico,
Thank you, this was the solution!
You were right about trying to log $T(reply_code), this triggers the
critical error and sends a 500 internal server error message.
Since I was using the same xlog line across my entire code, $T(reply_code)
was called multiple times, I didn't think it would cause such an issue
since the documentation states that it returns 0 in the worst case.
I stumbled across another issue, my rtpengine stopped working, it was due
to the fact that the http async client (so async framework) uses a
"failure_route" when triggering the callback route, so the first action of
rtpengine_manage() is to DELETE the transaction if in failure_route.
I moved/refactored some logic to trigger rtpengine inside a branch_route,
but I'm wondering if there is a way after my http query is done to revert
back to the request_route instead of the failure_route.
Cheers,
Cyril
Le ven. 4 févr. 2022 à 10:00, Federico Cabiddu <federico.cabiddu(a)gmail.com>
a écrit :
Hi Cyril,
I tried your script and changing
sl_send_reply("200","OK");
with
send_reply("200","OK") or
t_reply("200","OK");
it works, a 200 OK reply is sent out.
The message
"CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch
(-1) for a final response in MODE_ONFAILURE"
comes from trying, in the xlog call, to access $T(reply_code) where there
is actually no reply code for the transaction (no reply has been
received/generated)
Could you try the following snippet based on http_async_client?
request_route {
xlog("L_NOTICE", "ROOT - New request - M=$rm UAC-IP=$si:$sp
LB-IP=$tcp(c_si):$tcp(c_sp) UA='$ua' ID=$ci\n");
if (is_method("REGISTER")){
xlog("L_NOTICE", "[ROOT] Got REGISTER. method=$rm -
code=$T(reply_code) - Destination=$ru - Origin=[$fU@$si:$sp]\n");
if(!is_present_hf("Authorization")){
xlog("L_INFO","[ROOT::REGISTER] No auth provided, sending
CHALLENGE for $fU ($fu) (FINAL)\n");
www_challenge("$td","1");
exit;
}
else{
xlog("L_INFO","[ROOT::REGISTER] Auth provided, Go to
AUTH_DOQUERY using http_async_client\n");
t_newtran();
http_async_query("http://127.0.0.1:8000/","AUTH_REPLY");
}
}
exit;
}
route[AUTH_REPLY]{
xlog("L_NOTICE", "[AUTH_REPLY]: http_rs=$http_rs\n");
send_reply("200","OK");
exit;
}
(I'm running a simple http server always replying 200 on the loopback
interface)
Cheers,
Federico
On Thu, Feb 3, 2022 at 12:13 PM Cyril Ramière <cyril.ramiere(a)gmail.com>
wrote:
Okay, so I have done that,
Please find here :
https://zerobin.net/?7743b78716b00c72#Jzmdq+5ZlFfZId+M/hP+52Ih0AMAMNUjeUT1c…
My full config (I redacted some parts like IPs and domains), with the
minimal routing blocks to reproduce and the logs.
If you don't mind checking it, it would be great :)
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 11:39, Federico Cabiddu <
federico.cabiddu(a)gmail.com> a écrit :
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
I have to admit that even looking at the debug
logs I cannot understand
what's going on in your case.
As said I'm running an authentication scenario very similar to yours,
being the challenge the only difference.
What I can suggest to further digging is to reduce your configuration as
much as possible (e.g. I see that you are using topoh) and see if we can
understand better what is causing the issue.
Cheers,
Federico
On Thu, Feb 3, 2022 at 7:58 AM Olle E. Johansson <oej(a)edvina.net> wrote:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On 2 Feb 2022, at 23:58, Cyril Ramière <cyril.ramiere(a)gmail.com> wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the
clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle
the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint
if this user/password is ok to connect and allow/deny based on the reply
and informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when
handling the REGISTER, sadly for me, it doesn't work and I still can't
figure why.
Try http_client. I’ve used it a lot of time for authentication. It will
block your thread while waiting for response, but you can handle some of
those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann <khorsmann(a)gmail.com> a
écrit :
> Hi Cyril,
>
> This Kamailio module could imho do the same
>
> https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
>
>
> Cyril Ramière <cyril.ramiere(a)gmail.com> schrieb am Do., 27. Jan.
> 2022, 08:04:
>
>> Hi there,
>>
>> I have a weird issue with kamailio (latest docker
>> image kamailio-ci:5.5.2-alpine) and http_async_client.
>>
>> Before posting a lot of logs, let me describe what I want to achieve.
>>
>> I have a Kamailio and a SIP Phone.
>>
>> The SIP phone sends a REGISTER to kamailio, then in my routing block,
>> I check if I have an Authorization header.
>>
>> Since I don't have an Authorization (first message), I
>> use "www_challenge()".
>> This replies to the SIP phone, and then the SIP phone sends a new
>> REGISTER with the correct Authorization header.
>>
>> So far so good.
>>
>> Now, when I get the REGISTER with Authorization header, I want to ask
>> an HTTP endpoint if this user is allowed to connect and check the password
>> using http_async_query().
>>
>> The problem is that when the transaction resumes, the tmx module is
>> unhappy and throws this error :
>>
>> 30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked
>> branch (-1) for a final response in MODE_ONFAILURE
>>
>> And a 500 error is sent back to the sip phone.
>> The AUTH_REPLY route is still called and I can use the $http* values.
>>
>> Do you see something that I am doing wrong or missing in my logic?
>> Is pausing/resuming to use the async http client is allowed if I'm
>> handling a REGISTER transaction?
>>
>> Here's a simplified version of my routing block (not far from
>> reality):
>>
>> ##### SNIP
>>
>> request_route{
>>
>> route(AUTH);
>>
>>
>> route[AUTH]{
>>
>> if (is_method("REGISTER"){
>>
>> if(no_auth_header){
>>
>> www_challenge("$td","1");
>>
>> exit;
>>
>> }
>>
>> else{
>>
>> t_newtran();
>>
>>
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
>>
>> }
>>
>> }
>>
>> }
>>
>>
>> route[AUTH_REPLY]{
>>
>> xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
>>
>> }
>>
>>
>> }
>>
>> ##### END SNIP
>>
>>
>> Best regards!
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> * sr-users(a)lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only
>> to the sender!
>> Edit mailing list options or unsubscribe:
>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users(a)lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only
> to the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only
to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only
to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
10 Feb
10 Feb
7:39 p.m.
Hi Cyril,
happy to hear that you solved the problem.
About switching back to request_route type is not possible, it has to do
with the kamailio mechanism to suspend transactions. The callback route is
always a failure route.
The solution for rtpengine is either to call rtpengine_offer explicitly or
call rtpengine_manage in a branch_route, as you are doing and it's imho
among the best practices for kamailio.
Cheers,
Federico
On Tue, Feb 8, 2022 at 10:34 AM Cyril Ramière <cyril.ramiere(a)gmail.com>
wrote:
Hi Federico,
Thank you, this was the solution!
You were right about trying to log $T(reply_code), this triggers the
critical error and sends a 500 internal server error message.
Since I was using the same xlog line across my entire code, $T(reply_code)
was called multiple times, I didn't think it would cause such an issue
since the documentation states that it returns 0 in the worst case.
I stumbled across another issue, my rtpengine stopped working, it was due
to the fact that the http async client (so async framework) uses a
"failure_route" when triggering the callback route, so the first action of
rtpengine_manage() is to DELETE the transaction if in failure_route.
I moved/refactored some logic to trigger rtpengine inside a branch_route,
but I'm wondering if there is a way after my http query is done to revert
back to the request_route instead of the failure_route.
Cheers,
Cyril
Le ven. 4 févr. 2022 à 10:00, Federico Cabiddu <federico.cabiddu(a)gmail.com>
a écrit :
Hi Cyril,
I tried your script and changing
sl_send_reply("200","OK");
with
send_reply("200","OK") or
t_reply("200","OK");
it works, a 200 OK reply is sent out.
The message
"CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch
(-1) for a final response in MODE_ONFAILURE"
comes from trying, in the xlog call, to access $T(reply_code) where there
is actually no reply code for the transaction (no reply has been
received/generated)
Could you try the following snippet based on http_async_client?
request_route {
xlog("L_NOTICE", "ROOT - New request - M=$rm UAC-IP=$si:$sp
LB-IP=$tcp(c_si):$tcp(c_sp) UA='$ua' ID=$ci\n");
if (is_method("REGISTER")){
xlog("L_NOTICE", "[ROOT] Got REGISTER. method=$rm -
code=$T(reply_code) - Destination=$ru - Origin=[$fU@$si:$sp]\n");
if(!is_present_hf("Authorization")){
xlog("L_INFO","[ROOT::REGISTER] No auth provided, sending
CHALLENGE for $fU ($fu) (FINAL)\n");
www_challenge("$td","1");
exit;
}
else{
xlog("L_INFO","[ROOT::REGISTER] Auth provided, Go to
AUTH_DOQUERY using http_async_client\n");
t_newtran();
http_async_query("http://127.0.0.1:8000/","AUTH_REPLY");
}
}
exit;
}
route[AUTH_REPLY]{
xlog("L_NOTICE", "[AUTH_REPLY]: http_rs=$http_rs\n");
send_reply("200","OK");
exit;
}
(I'm running a simple http server always replying 200 on the loopback
interface)
Cheers,
Federico
On Thu, Feb 3, 2022 at 12:13 PM Cyril Ramière <cyril.ramiere(a)gmail.com>
wrote:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Okay, so I have done that,
Please find here :
https://zerobin.net/?7743b78716b00c72#Jzmdq+5ZlFfZId+M/hP+52Ih0AMAMNUjeUT1c…
My full config (I redacted some parts like IPs and domains), with the
minimal routing blocks to reproduce and the logs.
If you don't mind checking it, it would be great :)
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 11:39, Federico Cabiddu <
federico.cabiddu(a)gmail.com> a écrit :
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
I have to admit that even looking at the debug
logs I cannot understand
what's going on in your case.
As said I'm running an authentication scenario very similar to yours,
being the challenge the only difference.
What I can suggest to further digging is to reduce your configuration
as much as possible (e.g. I see that you are using topoh) and see if we can
understand better what is causing the issue.
Cheers,
Federico
On Thu, Feb 3, 2022 at 7:58 AM Olle E. Johansson <oej(a)edvina.net>
wrote:
>
>
> On 2 Feb 2022, at 23:58, Cyril Ramière <cyril.ramiere(a)gmail.com>
> wrote:
>
> Hi Karsten,
>
> Thanks for the clue, unfortunately I can't use this module because the
> clients are "dumb" sip phones.
>
> The goal of my implementation is to use our application API to handle
> the login.
>
> The plan was that a sip phone sends a REGISTER, I ask the API endpoint
> if this user/password is ok to connect and allow/deny based on the reply
> and informations provided by the API.
>
> Everything is relying on the fact that I can make my HTTP call when
> handling the REGISTER, sadly for me, it doesn't work and I still can't
> figure why.
>
> Try http_client. I’ve used it a lot of time for authentication. It
> will block your thread while waiting for response, but you can handle some
> of those issues by caching secrets for a short time with htable.
>
> /O
>
>
> Cheers,
>
> Cyril
>
> Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann <khorsmann(a)gmail.com>
> a écrit :
>
>> Hi Cyril,
>>
>> This Kamailio module could imho do the same
>>
>>
>> https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
>>
>>
>> Cyril Ramière <cyril.ramiere(a)gmail.com> schrieb am Do., 27. Jan.
>> 2022, 08:04:
>>
>>> Hi there,
>>>
>>> I have a weird issue with kamailio (latest docker
>>> image kamailio-ci:5.5.2-alpine) and http_async_client.
>>>
>>> Before posting a lot of logs, let me describe what I want to achieve.
>>>
>>> I have a Kamailio and a SIP Phone.
>>>
>>> The SIP phone sends a REGISTER to kamailio, then in my routing
>>> block, I check if I have an Authorization header.
>>>
>>> Since I don't have an Authorization (first message), I
>>> use "www_challenge()".
>>> This replies to the SIP phone, and then the SIP phone sends a new
>>> REGISTER with the correct Authorization header.
>>>
>>> So far so good.
>>>
>>> Now, when I get the REGISTER with Authorization header, I want to
>>> ask an HTTP endpoint if this user is allowed to connect and check the
>>> password using http_async_query().
>>>
>>> The problem is that when the transaction resumes, the tmx module is
>>> unhappy and throws this error :
>>>
>>> 30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no
>>> picked branch (-1) for a final response in MODE_ONFAILURE
>>>
>>> And a 500 error is sent back to the sip phone.
>>> The AUTH_REPLY route is still called and I can use the $http* values.
>>>
>>> Do you see something that I am doing wrong or missing in my logic?
>>> Is pausing/resuming to use the async http client is allowed if I'm
>>> handling a REGISTER transaction?
>>>
>>> Here's a simplified version of my routing block (not far from
>>> reality):
>>>
>>> ##### SNIP
>>>
>>> request_route{
>>>
>>> route(AUTH);
>>>
>>>
>>> route[AUTH]{
>>>
>>> if (is_method("REGISTER"){
>>>
>>> if(no_auth_header){
>>>
>>> www_challenge("$td","1");
>>>
>>> exit;
>>>
>>> }
>>>
>>> else{
>>>
>>> t_newtran();
>>>
>>>
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar",
"AUTH_REPLY");
>>>
>>> }
>>>
>>> }
>>>
>>> }
>>>
>>>
>>> route[AUTH_REPLY]{
>>>
>>> xlog("L_INFO", "route[HTTP_REPLY]: status
$http_rs\n");
>>>
>>> }
>>>
>>>
>>> }
>>>
>>> ##### END SNIP
>>>
>>>
>>> Best regards!
>>> __________________________________________________________
>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>> * sr-users(a)lists.kamailio.org
>>> Important: keep the mailing list in the recipients, do not reply
>>> only to the sender!
>>> Edit mailing list options or unsubscribe:
>>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> * sr-users(a)lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only
>> to the sender!
>> Edit mailing list options or unsubscribe:
>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users(a)lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only
> to the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users(a)lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only
> to the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only
to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
1002
days inactive
1017
days old
15 comments
4 participants
participants (4)
-
Cyril Ramière -
Federico Cabiddu -
Karsten Horsmann -
Olle E. Johansson