Re: [Asterisk-Users] SIP protocol bug ???
Please confirm this is fixed now in CVS. Mark ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP protocol bug ???
Does this have a bug number so I can track it? Jan Janak wrote: On 07-11 13:17, John Todd wrote: From what I can understand of the issue you describe, it sounds like the problem resides on the remote side, and not Asterisk's side. You are sending an invalid request in your first query, and the remote side is sending "Unauthorized", meaning that it believes you have supplied credentials, but they are the wrong credentials. This is the end of the conversation, since both sides have given their "final words" on the subject. "Unauthorized" means that the message contained no credentials or the server was unable to verify the credentials. When a user agent (asterisk) gets an "Unauthorized" message then it is supposed to retry with proper credentials. What arguably _should_ be happening is that the remote SIP host should be sending "407 Proxy Authentication Required", but it's not. Therefore, Asterisk is behaving correctly. This is not a bug in Asterisk. That depends on the type of the remote host. Registrars, PSTN gateways, and user agents send 401, proxies send 407. In any case asterisk should be able to handle both for any type of message except ACK and CANCEL (which can not be challenged). Jan. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP protocol bug ???
On 07-11 13:17, John Todd wrote: From what I can understand of the issue you describe, it sounds like the problem resides on the remote side, and not Asterisk's side. You are sending an invalid request in your first query, and the remote side is sending "Unauthorized", meaning that it believes you have supplied credentials, but they are the wrong credentials. This is the end of the conversation, since both sides have given their "final words" on the subject. "Unauthorized" means that the message contained no credentials or the server was unable to verify the credentials. When a user agent (asterisk) gets an "Unauthorized" message then it is supposed to retry with proper credentials. What arguably _should_ be happening is that the remote SIP host should be sending "407 Proxy Authentication Required", but it's not. Therefore, Asterisk is behaving correctly. This is not a bug in Asterisk. That depends on the type of the remote host. Registrars, PSTN gateways, and user agents send 401, proxies send 407. In any case asterisk should be able to handle both for any type of message except ACK and CANCEL (which can not be challenged). Jan. OK. My fault, then, for trying to just remember the RFC instead of going and actually reading it. :) JT ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP protocol bug ???
On 07-11 13:17, John Todd wrote: > From what I can understand of the issue you describe, it sounds like > the problem resides on the remote side, and not Asterisk's side. > > You are sending an invalid request in your first query, and the > remote side is sending "Unauthorized", meaning that it believes you > have supplied credentials, but they are the wrong credentials. This > is the end of the conversation, since both sides have given their > "final words" on the subject. "Unauthorized" means that the message contained no credentials or the server was unable to verify the credentials. When a user agent (asterisk) gets an "Unauthorized" message then it is supposed to retry with proper credentials. > What arguably _should_ be happening is that the remote SIP host > should be sending "407 Proxy Authentication Required", but it's not. > Therefore, Asterisk is behaving correctly. This is not a bug in > Asterisk. That depends on the type of the remote host. Registrars, PSTN gateways, and user agents send 401, proxies send 407. In any case asterisk should be able to handle both for any type of message except ACK and CANCEL (which can not be challenged). Jan. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP protocol bug ???
Asterisk was wrong. Every SIP message can be challenged with 401 or 407, depending on who is challenging. If you send a REGISTER message then you can get "407 Proxy Authentication Required" from any proxy along the path of the message. You can also get "401 Unauthorized" from registrar. The same for INVITE, you can get a "407 Proxy Authentication Required" from a proxy and you can also get "401 Unauthorized" from a PSTN gateway, for example. The rule of thumb is: If a SIP network element forwards the request then it will use 407, if it is the final destination for the request (PSTN gw, registrar, user agent) then it will use 401. One message can be also challenged several times before it get's to its final destination. Jan. On 07-11 09:35, mtm spm wrote: > Hi Olle, > > --- "Olle E. Johansson" <[EMAIL PROTECTED]> wrote: > > The first Invite is without credentials, since > > digest authentication needs input > > from the server to create credentials. > > This is also what I understood too from rfc. > I was just confused becouse in the Asterisk code > there was something like this: > > case 401: /* Not authorized on REGISTER */ > if (p->registry && !strcasecmp(msg, "REGISTER")) { > if ((p->authtries > 1) || do_register_auth(p, req, > "WWW-Authenticate", "Authorization")) { > ast_log(LOG_NOTICE, "Failed to authenticate on > REGISTER to '%s'\n", get_header(&p->initreq, "From")); > p->needdestroy = 1; > } elsep->needdestroy = 1; > > So, only the case of registration was handled in 401. > > However I just added something like: > > if(!strcasecmp(msg, "INVITE")) { > if ((p->authtries > 1) || do_proxy_auth2(p, req, > "INVITE", 1)) { > ast_log(LOG_NOTICE, "Failed to authenticate on > INVITE to '%s'\n", get_header(&p->initreq, "From")); > p->needdestroy = 1; > } > and I implemented the new function do_proxy_auth2 as a > modified version of do_proxy_auth to work with > "Authorization" instead of "Proxy-Authorization" and I > got the thing to work fine. > > However, I wanted to check with others who was wrong: > Asterisk or my SIP provider. > Is this the right thing to do in respect to the > standard? > > Tnx, > MTM > > > __ > Do you Yahoo!? > Protect your identity with Yahoo! Mail AddressGuard > http://antispam.yahoo.com/whatsnewfree > ___ > Asterisk-Users mailing list > [EMAIL PROTECTED] > http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP protocol bug ???
mtm spm wrote: Hi Olle, --- "Olle E. Johansson" <[EMAIL PROTECTED]> wrote: The first Invite is without credentials, since digest authentication needs input from the server to create credentials. This is also what I understood too from rfc. I was just confused becouse in the Asterisk code there was something like this: Could you please send a SIP DEBUG output so I can follow your thoughts? /Olle ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP protocol bug ???
Hi Olle, --- "Olle E. Johansson" <[EMAIL PROTECTED]> wrote: The first Invite is without credentials, since digest authentication needs input from the server to create credentials. This is also what I understood too from rfc. I was just confused becouse in the Asterisk code there was something like this: case 401: /* Not authorized on REGISTER */ if (p->registry && !strcasecmp(msg, "REGISTER")) { if ((p->authtries > 1) || do_register_auth(p, req, "WWW-Authenticate", "Authorization")) { ast_log(LOG_NOTICE, "Failed to authenticate on REGISTER to '%s'\n", get_header(&p->initreq, "From")); p->needdestroy = 1; } else p->needdestroy = 1; So, only the case of registration was handled in 401. However I just added something like: if(!strcasecmp(msg, "INVITE")) { if ((p->authtries > 1) || do_proxy_auth2(p, req, "INVITE", 1)) { ast_log(LOG_NOTICE, "Failed to authenticate on INVITE to '%s'\n", get_header(&p->initreq, "From")); p->needdestroy = 1; } and I implemented the new function do_proxy_auth2 as a modified version of do_proxy_auth to work with "Authorization" instead of "Proxy-Authorization" and I got the thing to work fine. However, I wanted to check with others who was wrong: Asterisk or my SIP provider. Is this the right thing to do in respect to the standard? Tnx, MTM From what I can understand of the issue you describe, it sounds like the problem resides on the remote side, and not Asterisk's side. You are sending an invalid request in your first query, and the remote side is sending "Unauthorized", meaning that it believes you have supplied credentials, but they are the wrong credentials. This is the end of the conversation, since both sides have given their "final words" on the subject. What arguably _should_ be happening is that the remote SIP host should be sending "407 Proxy Authentication Required", but it's not. Therefore, Asterisk is behaving correctly. This is not a bug in Asterisk. JT ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP protocol bug ???
Hi Olle, --- "Olle E. Johansson" <[EMAIL PROTECTED]> wrote: > The first Invite is without credentials, since > digest authentication needs input > from the server to create credentials. This is also what I understood too from rfc. I was just confused becouse in the Asterisk code there was something like this: case 401: /* Not authorized on REGISTER */ if (p->registry && !strcasecmp(msg, "REGISTER")) { if ((p->authtries > 1) || do_register_auth(p, req, "WWW-Authenticate", "Authorization")) { ast_log(LOG_NOTICE, "Failed to authenticate on REGISTER to '%s'\n", get_header(&p->initreq, "From")); p->needdestroy = 1; } else p->needdestroy = 1; So, only the case of registration was handled in 401. However I just added something like: if(!strcasecmp(msg, "INVITE")) { if ((p->authtries > 1) || do_proxy_auth2(p, req, "INVITE", 1)) { ast_log(LOG_NOTICE, "Failed to authenticate on INVITE to '%s'\n", get_header(&p->initreq, "From")); p->needdestroy = 1; } and I implemented the new function do_proxy_auth2 as a modified version of do_proxy_auth to work with "Authorization" instead of "Proxy-Authorization" and I got the thing to work fine. However, I wanted to check with others who was wrong: Asterisk or my SIP provider. Is this the right thing to do in respect to the standard? Tnx, MTM __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP protocol bug ???
mtm spm wrote: Hello, I have a problem with asterisk when dial out to a SIP provider. Asterisk send a INVITE with no credentials, the provider reply with a 401 Unauthorized. However, Asterisk DOES NOT resend the invite again with credentials. But it hangs there (maybe waiting for a ok) It is this a bug in asterisk or the provider is supposed to send something else rather than a 401 as answer for a INVITE ? Hello! In the Asterisk command line interface, write "sip debug" to see all SIP transactions. Make sure that asterisk actually receives the response from the SIP provider and that there's no NAT disturbing the session. It sounds like Asterisk does not receive the 401 unauthorized and therefore tries again. The first Invite is without credentials, since digest authentication needs input from the server to create credentials. If there's a NAT in the middle, you'll find plenty of documentation on how to solve the problem (or not) on the Asterisk Wiki at http://www.voip-info.org Best regards, /Olle ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP protocol bug ???
Hello, I have a problem with asterisk when dial out to a SIP provider. Asterisk send a INVITE with no credentials, the provider reply with a 401 Unauthorized. However, Asterisk DOES NOT resend the invite again with credentials. But it hangs there (maybe waiting for a ok) It is this a bug in asterisk or the provider is supposed to send something else rather than a 401 as answer for a INVITE ? The version was taken 2 days ago from CVS. TNX, MTM __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users