Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Iancu, I understand your thought process. I certainly understand that However, same device, exactly the same credentials and it authenticates properly against 2 other systems. They can't both be wrong and OpenSIPS be correct. For reference this is what I have installed: version: opensips 3.2.8 (x86_64/linux) flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535 poll method support: poll, epoll, sigio_rt, select. main.c compiled on 17:05:59 Aug 17 2022 with gcc 4.8.5 I tried the tool you suggested. Since the device is returning nc=0001,cnonce="30a17663" which is more than the python script uses so I can't get a correct calculation anyway. This is one example that failed Authorization: Digest username="3105738133",realm="digilink.net",nonce="7VOIeF33AVFqNTDVkY+VlYspMPlW/ZD7OJWumYkh0L8A",uri="sip:sip.rs.digidial.net",algorithm=MD5,response="d4922aa870ad36ec61f1b5da0cf6be04",qop=auth,nc=0001,cnonce="30a17663" I found a more comprehensive tool and got the correct result from the above digest (password redacted from the image below): So, this begs the question - why is OpenSIPS getting it wrong? --- Bob There may be some other On 9/8/2022 1:43 AM, Bogdan-Andrei Iancu wrote: I'm quite sure OpenSIPS is computing the auth correctly, after all you are the only one complaining on this. And the point is to identify which side is not doing the proper computing and eventually see why - it may be a setting, a typo, etc... Just my 2 cents on the matter. Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 9/8/22 10:29 AM, Bob Atkins wrote: Iancu, I'm not sure what the point of this would be. Even if it showed that OpenSIPS was calculating incorrectly - then what? The device registers just fine with both asterisk and OpenSER v1.1 with exactly the same parameters. The device is calculating the response correctly for 2 other systems. OpenSIPS is clearly getting it wrong. The question is why? Or even how. This is a pretty basic calculation. --- Bob On 9/7/2022 11:16 PM, Bogdan-Andrei Iancu wrote: Hi Bob, Use the below to double check which party is failing in computing the right auth response. https://openplatform.xyz/sip_register_digest_authentication.html Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 9/7/22 10:46 PM, Bob Atkins wrote: Iancu, Thank you!! You identified the problem. Turns out that I had failed to add the IP for the OpenSIPS proxy to a firewall that was blocking the response from this new sip server (facepalm) to the device :-( So, once I fixed the firewall I thought that would be it... Not my luck. Now it is challenging and /_*rejecting!*_/ The HA1 is failing to compare! But the passwords are correct! Now I am really mystified. I created identical DB entries for this unit in both the original OpenSER system and the OpenSIPS system. Registration to the OpenSER system works perfectly - HA1 validates. When I change the sip server to the new system, to OpenSIPS system fails due to mismatched HA1. Whaaa ?!?! Mismatched HA1 would imply a password failure but I have absolutely, positively verified the passwords in both database entries and the /_*only*_/ thing I change on the device is the sip server. It should just register on the new system. I have attached packet capture of the transaction between the device and teh OpenSIPSs system. I have absolutely, positively copied and pasted (no trailing nl or spaces) and verified that the passwords are the same in both databases and also the same on the device. OpenSER DB subscriber entery phplib_id username domain password first_name last_name phone email_address datetime_created datetime_modified confirmation flag sendnotification greeting ha1 ha1b allow_find timezone rpid domn uuid customerID customerName 3105738133 3105738133 digilink.net PPC Home Fax 3105738133 7/5/2012 16:36 11/7/2021 13:58 o 0 \N \N \N \N 72 DigiLink Internet Services OpenSIPS DB subscriber entry
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
I'm quite sure OpenSIPS is computing the auth correctly, after all you are the only one complaining on this. And the point is to identify which side is not doing the proper computing and eventually see why - it may be a setting, a typo, etc... Just my 2 cents on the matter. Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 9/8/22 10:29 AM, Bob Atkins wrote: Iancu, I'm not sure what the point of this would be. Even if it showed that OpenSIPS was calculating incorrectly - then what? The device registers just fine with both asterisk and OpenSER v1.1 with exactly the same parameters. The device is calculating the response correctly for 2 other systems. OpenSIPS is clearly getting it wrong. The question is why? Or even how. This is a pretty basic calculation. --- Bob On 9/7/2022 11:16 PM, Bogdan-Andrei Iancu wrote: Hi Bob, Use the below to double check which party is failing in computing the right auth response. https://openplatform.xyz/sip_register_digest_authentication.html Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 9/7/22 10:46 PM, Bob Atkins wrote: Iancu, Thank you!! You identified the problem. Turns out that I had failed to add the IP for the OpenSIPS proxy to a firewall that was blocking the response from this new sip server (facepalm) to the device :-( So, once I fixed the firewall I thought that would be it... Not my luck. Now it is challenging and /_*rejecting!*_/ The HA1 is failing to compare! But the passwords are correct! Now I am really mystified. I created identical DB entries for this unit in both the original OpenSER system and the OpenSIPS system. Registration to the OpenSER system works perfectly - HA1 validates. When I change the sip server to the new system, to OpenSIPS system fails due to mismatched HA1. Whaaa ?!?! Mismatched HA1 would imply a password failure but I have absolutely, positively verified the passwords in both database entries and the /_*only*_/ thing I change on the device is the sip server. It should just register on the new system. I have attached packet capture of the transaction between the device and teh OpenSIPSs system. I have absolutely, positively copied and pasted (no trailing nl or spaces) and verified that the passwords are the same in both databases and also the same on the device. OpenSER DB subscriber entery phplib_id username domain password first_name last_name phone email_address datetime_created datetime_modified confirmation flag sendnotification greeting ha1 ha1b allow_find timezone rpid domn uuid customerID customerName 3105738133 3105738133 digilink.net PPC Home Fax 3105738133 7/5/2012 16:36 11/7/2021 13:58 o 0 \N \N \N \N 72 DigiLink Internet Services OpenSIPS DB subscriber entry id username domain password cr_preferred_carrier first_name last_name phone email_address datetime_created datetime_modified confirmation flag sendnotification greeting allow_find timezone customerID customerName ha1 ha1_sha256 ha1_sha512t256 rpid 1 3105738133 digidial \N PPC Home Fax 3105738133 b...@planeparts.com 7/5/2012 16:36 11/7/2021 13:58 0 72 DigiLink Internet Services \N Registration code: OpenSER system: modparam("auth_db", "calculate_ha1", yes) modparam("auth_db", "password_column", "password") if (method=="REGISTER") { #xlog("L_INFO","[$rm][$ft][$tt] Processing registration"); if (!www_authorize("digilink.net", "subscriber")) { #xlog("L_INFO","[$rm][$ft][$tt] Challenging peer"); www_challenge("digilink.net", "0"); exit; }; xlog("L_INFO","[$rm][$ft][$tt] Registered $fu from $si"); save("location"); exit; }; == OpenSIPS system AUTH Db module loadmodule "auth.so" loadmodule "auth_db.so" modparam("auth_db", "cal
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Bob, OpenSIPS calculates: HA1 field in DB is an MD5 hash of "username:domain:password" At least works for me 😉 From: Bob Atkins<mailto:b...@digilink.net> Sent: Thursday, 8 September 2022 19:32 To: Bogdan-Andrei Iancu<mailto:bog...@opensips.org>; OpenSIPS users mailling list<mailto:users@lists.opensips.org> Subject: Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8?? Iancu, I'm not sure what the point of this would be. Even if it showed that OpenSIPS was calculating incorrectly - then what? The device registers just fine with both asterisk and OpenSER v1.1 with exactly the same parameters. The device is calculating the response correctly for 2 other systems. OpenSIPS is clearly getting it wrong. The question is why? Or even how. This is a pretty basic calculation. --- Bob On 9/7/2022 11:16 PM, Bogdan-Andrei Iancu wrote: Hi Bob, Use the below to double check which party is failing in computing the right auth response. https://openplatform.xyz/sip_register_digest_authentication.html Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 9/7/22 10:46 PM, Bob Atkins wrote: Iancu, Thank you!! You identified the problem. Turns out that I had failed to add the IP for the OpenSIPS proxy to a firewall that was blocking the response from this new sip server (facepalm) to the device :-( So, once I fixed the firewall I thought that would be it... Not my luck. Now it is challenging and rejecting! The HA1 is failing to compare! But the passwords are correct! Now I am really mystified. I created identical DB entries for this unit in both the original OpenSER system and the OpenSIPS system. Registration to the OpenSER system works perfectly - HA1 validates. When I change the sip server to the new system, to OpenSIPS system fails due to mismatched HA1. Whaaa ?!?! Mismatched HA1 would imply a password failure but I have absolutely, positively verified the passwords in both database entries and the only thing I change on the device is the sip server. It should just register on the new system. I have attached packet capture of the transaction between the device and teh OpenSIPSs system. I have absolutely, positively copied and pasted (no trailing nl or spaces) and verified that the passwords are the same in both databases and also the same on the device. OpenSER DB subscriber entery phplib_id username domain password first_name last_name phone email_address datetime_created datetime_modified confirmation flag sendnotification greeting ha1 ha1b allow_find timezone rpid domn uuid customerID customerName 3105738133 3105738133 digilink.net PPC Home Fax 3105738133 7/5/2012 16:36 11/7/2021 13:58 o 0 \N \N \N \N 72 DigiLink Internet Services OpenSIPS DB subscriber entry id username domain password cr_preferred_carrier first_name last_name phone email_address datetime_created datetime_modified confirmation flag sendnotification greeting allow_find timezone customerID customerName ha1 ha1_sha256 ha1_sha512t256 rpid 1 3105738133 digidial \N PPC Home Fax 3105738133 b...@planeparts.com<mailto:b...@planeparts.com> 7/5/2012 16:36 11/7/2021 13:58 0 72 DigiLink Internet Services \N Registration code: OpenSER system: modparam("auth_db", "calculate_ha1", yes) modparam("auth_db", "password_column", "password") if (method=="REGISTER") { #xlog("L_INFO","[$rm][$ft][$tt] Processing registration"); if (!www_authorize("digilink.net", "subscriber")) { #xlog("L_INFO","[$rm][$ft][$tt] Challenging peer"); www_challenge("digilink.net", "0"); exit; }; xlog("L_INFO","[$rm][$ft][$tt] Registered $fu from $si"); save("location"); exit; }; == OpenSIPS system AUTH Db module loadmodule "auth.so" loadmodule "auth_db.so" modparam("auth_db", "calculate_ha1", 1) modparam("auth_db", "use_domain", 1) modparam("auth_db", "user_column", "username") modparam("auth_db", "password_column", "password") modparam("auth_db", "load_credentials", "") if (is_method("REGISTER")) { xlog("L_INFO", "REGISTER: [$tu] request from [$si]"); xlog("L_INFO","[$ft][$au]@[$ad] - Processing registration"); xlog("L_INFO", "REGISTER: www_authorize
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Iancu, I'm not sure what the point of this would be. Even if it showed that OpenSIPS was calculating incorrectly - then what? The device registers just fine with both asterisk and OpenSER v1.1 with exactly the same parameters. The device is calculating the response correctly for 2 other systems. OpenSIPS is clearly getting it wrong. The question is why? Or even how. This is a pretty basic calculation. --- Bob On 9/7/2022 11:16 PM, Bogdan-Andrei Iancu wrote: Hi Bob, Use the below to double check which party is failing in computing the right auth response. https://openplatform.xyz/sip_register_digest_authentication.html Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 9/7/22 10:46 PM, Bob Atkins wrote: Iancu, Thank you!! You identified the problem. Turns out that I had failed to add the IP for the OpenSIPS proxy to a firewall that was blocking the response from this new sip server (facepalm) to the device :-( So, once I fixed the firewall I thought that would be it... Not my luck. Now it is challenging and /_*rejecting!*_/ The HA1 is failing to compare! But the passwords are correct! Now I am really mystified. I created identical DB entries for this unit in both the original OpenSER system and the OpenSIPS system. Registration to the OpenSER system works perfectly - HA1 validates. When I change the sip server to the new system, to OpenSIPS system fails due to mismatched HA1. Whaaa ?!?! Mismatched HA1 would imply a password failure but I have absolutely, positively verified the passwords in both database entries and the /_*only*_/ thing I change on the device is the sip server. It should just register on the new system. I have attached packet capture of the transaction between the device and teh OpenSIPSs system. I have absolutely, positively copied and pasted (no trailing nl or spaces) and verified that the passwords are the same in both databases and also the same on the device. OpenSER DB subscriber entery phplib_id username domain password first_name last_name phone email_address datetime_created datetime_modified confirmation flag sendnotification greeting ha1 ha1b allow_find timezone rpid domn uuid customerID customerName 3105738133 3105738133 digilink.net PPC Home Fax 3105738133 7/5/2012 16:36 11/7/2021 13:58 o 0 \N \N \N \N 72 DigiLink Internet Services OpenSIPS DB subscriber entry id username domain password cr_preferred_carrier first_name last_name phone email_address datetime_created datetime_modified confirmation flag sendnotification greeting allow_find timezone customerID customerName ha1 ha1_sha256 ha1_sha512t256 rpid 1 3105738133 digidial \N PPC Home Fax 3105738133 b...@planeparts.com 7/5/2012 16:36 11/7/2021 13:58 0 72 DigiLink Internet Services \N Registration code: OpenSER system: modparam("auth_db", "calculate_ha1", yes) modparam("auth_db", "password_column", "password") if (method=="REGISTER") { #xlog("L_INFO","[$rm][$ft][$tt] Processing registration"); if (!www_authorize("digilink.net", "subscriber")) { #xlog("L_INFO","[$rm][$ft][$tt] Challenging peer"); www_challenge("digilink.net", "0"); exit; }; xlog("L_INFO","[$rm][$ft][$tt] Registered $fu from $si"); save("location"); exit; }; == OpenSIPS system AUTH Db module loadmodule "auth.so" loadmodule "auth_db.so" modparam("auth_db", "calculate_ha1", 1) modparam("auth_db", "use_domain", 1) modparam("auth_db", "user_column", "username") modparam("auth_db", "password_column", "password") modparam("auth_db", "load_credentials", "") if (is_method("REGISTER")) { xlog("L_INFO", "REGISTER: [$tu] request from [$si]"); xlog("L_INFO","[$ft][$au]@[$ad] - Processing registration"); xlog("L_INFO", "REGISTER: www_authorize returned [$var(x)] to authenticate with [$rU]$ru credential");
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Hi Bob, Use the below to double check which party is failing in computing the right auth response. https://openplatform.xyz/sip_register_digest_authentication.html Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 9/7/22 10:46 PM, Bob Atkins wrote: Iancu, Thank you!! You identified the problem. Turns out that I had failed to add the IP for the OpenSIPS proxy to a firewall that was blocking the response from this new sip server (facepalm) to the device :-( So, once I fixed the firewall I thought that would be it... Not my luck. Now it is challenging and /_*rejecting!*_/ The HA1 is failing to compare! But the passwords are correct! Now I am really mystified. I created identical DB entries for this unit in both the original OpenSER system and the OpenSIPS system. Registration to the OpenSER system works perfectly - HA1 validates. When I change the sip server to the new system, to OpenSIPS system fails due to mismatched HA1. Whaaa ?!?! Mismatched HA1 would imply a password failure but I have absolutely, positively verified the passwords in both database entries and the /_*only*_/ thing I change on the device is the sip server. It should just register on the new system. I have attached packet capture of the transaction between the device and teh OpenSIPSs system. I have absolutely, positively copied and pasted (no trailing nl or spaces) and verified that the passwords are the same in both databases and also the same on the device. OpenSER DB subscriber entery phplib_id username domain password first_name last_name phone email_address datetime_created datetime_modified confirmation flag sendnotification greeting ha1 ha1b allow_find timezone rpid domn uuid customerID customerName 3105738133 3105738133 digilink.net PPC Home Fax 3105738133 7/5/2012 16:36 11/7/2021 13:58 o 0 \N \N \N \N 72 DigiLink Internet Services OpenSIPS DB subscriber entry id username domain password cr_preferred_carrier first_name last_name phone email_address datetime_created datetime_modified confirmation flag sendnotification greeting allow_find timezone customerID customerName ha1 ha1_sha256 ha1_sha512t256 rpid 1 3105738133 digidial \N PPC Home Fax 3105738133 b...@planeparts.com 7/5/2012 16:36 11/7/2021 13:58 0 72 DigiLink Internet Services \N Registration code: OpenSER system: modparam("auth_db", "calculate_ha1", yes) modparam("auth_db", "password_column", "password") if (method=="REGISTER") { #xlog("L_INFO","[$rm][$ft][$tt] Processing registration"); if (!www_authorize("digilink.net", "subscriber")) { #xlog("L_INFO","[$rm][$ft][$tt] Challenging peer"); www_challenge("digilink.net", "0"); exit; }; xlog("L_INFO","[$rm][$ft][$tt] Registered $fu from $si"); save("location"); exit; }; == OpenSIPS system AUTH Db module loadmodule "auth.so" loadmodule "auth_db.so" modparam("auth_db", "calculate_ha1", 1) modparam("auth_db", "use_domain", 1) modparam("auth_db", "user_column", "username") modparam("auth_db", "password_column", "password") modparam("auth_db", "load_credentials", "") if (is_method("REGISTER")) { xlog("L_INFO", "REGISTER: [$tu] request from [$si]"); xlog("L_INFO","[$ft][$au]@[$ad] - Processing registration"); xlog("L_INFO", "REGISTER: www_authorize returned [$var(x)] to authenticate with [$rU]$ru credential"); if (!www_authorize("digilink.net", "subscriber")) { xlog("L_INFO","CHALLENGE: [$ft][$tt]"); www_challenge("digilink.net","auth","MD5"); exit; } else { xlog("L_ALERT", "REGISTER: URI [$tu][$rU]$ru credential from [$si] - FAILED!"); sl_send_reply(403, "Not Authorized!"); exit; } xlog("L_INFO", "REGISTER: URI
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Iancu, Thank you!! You identified the problem. Turns out that I had failed to add the IP for the OpenSIPS proxy to a firewall that was blocking the response from this new sip server (facepalm) to the device :-( So, once I fixed the firewall I thought that would be it... Not my luck. Now it is challenging and /_*rejecting!*_/ The HA1 is failing to compare! But the passwords are correct! Now I am really mystified. I created identical DB entries for this unit in both the original OpenSER system and the OpenSIPS system. Registration to the OpenSER system works perfectly - HA1 validates. When I change the sip server to the new system, to OpenSIPS system fails due to mismatched HA1. Whaaa ?!?! Mismatched HA1 would imply a password failure but I have absolutely, positively verified the passwords in both database entries and the /_*only*_/ thing I change on the device is the sip server. It should just register on the new system. I have attached packet capture of the transaction between the device and teh OpenSIPSs system. I have absolutely, positively copied and pasted (no trailing nl or spaces) and verified that the passwords are the same in both databases and also the same on the device. OpenSER DB subscriber entery phplib_id username domain password first_name last_name phone email_address datetime_created datetime_modified confirmation flag sendnotification greeting ha1 ha1b allow_find timezone rpid domn uuid customerID customerName 3105738133 3105738133 digilink.netPPC Home Fax 3105738133 7/5/2012 16:36 11/7/2021 13:58 o 0 \N \N \N \N 72 DigiLink Internet Services OpenSIPS DB subscriber entry id username domain password cr_preferred_carrier first_name last_name phone email_address datetime_created datetime_modified confirmation flag sendnotification greeting allow_find timezone customerID customerName ha1 ha1_sha256 ha1_sha512t256 rpid 1 3105738133 digidial \N PPC Home Fax 3105738133 b...@planeparts.com 7/5/2012 16:36 11/7/2021 13:58 0 72 DigiLink Internet Services \N Registration code: OpenSER system: modparam("auth_db", "calculate_ha1", yes) modparam("auth_db", "password_column", "password") if (method=="REGISTER") { #xlog("L_INFO","[$rm][$ft][$tt] Processing registration"); if (!www_authorize("digilink.net", "subscriber")) { #xlog("L_INFO","[$rm][$ft][$tt] Challenging peer"); www_challenge("digilink.net", "0"); exit; }; xlog("L_INFO","[$rm][$ft][$tt] Registered $fu from $si"); save("location"); exit; }; == OpenSIPS system AUTH Db module loadmodule "auth.so" loadmodule "auth_db.so" modparam("auth_db", "calculate_ha1", 1) modparam("auth_db", "use_domain", 1) modparam("auth_db", "user_column", "username") modparam("auth_db", "password_column", "password") modparam("auth_db", "load_credentials", "") if (is_method("REGISTER")) { xlog("L_INFO", "REGISTER: [$tu] request from [$si]"); xlog("L_INFO","[$ft][$au]@[$ad] - Processing registration"); xlog("L_INFO", "REGISTER: www_authorize returned [$var(x)] to authenticate with [$rU]$ru credential"); if (!www_authorize("digilink.net", "subscriber")) { xlog("L_INFO","CHALLENGE: [$ft][$tt]"); www_challenge("digilink.net","auth","MD5"); exit; } else { xlog("L_ALERT", "REGISTER: URI [$tu][$rU]$ru credential from [$si] - FAILED!"); sl_send_reply(403, "Not Authorized!"); exit; } xlog("L_INFO", "REGISTER: URI [$tu] - [$rm][$ft][$tt] Registered $fu from $si"); save("location"); exit; } Debug output: Sep 7 09:42:09 [5640] DBG:core:parse_msg: SIP Request: Sep 7 09:42:09 [5640] DBG:core:parse_msg: method: Sep 7 09:42:09 [5640] DBG:core:parse_msg: uri: Sep 7 09:42:09 [5640] DBG:core:parse_msg: version: Sep 7 09:42:09 [5640] DBG:core:p
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Hi Iancu, Thank you very much for your reply. Please ignore my previous message - it got sent prematurely. Like you, I am mystified by the fact that it says that it cannot find the domain realm when it is actually in the table. Keep in mind that I changed the code to specifically see the return result from www_authorize in my earlier tests and found that www_authorize returns [-4] which means (no credentials) - credentials were not found in request. WHy is it returning a -4?? Why is that -4 being passing the if (!www_authorize("", "subscriber")) { statement in the first place. It should not fall through to the challenge with a -4 return. There is also no reason why the credentials should not be there - they have certainly not been consumed before this point. Here is the subscriber table entry for reference: id;username;domain;password;cr_preferred_carrier;first_name;last_name;phone;email_address;datetime_created;datetime_modified;confirmation;flag;sendnotification;greeting;allow_find;timezone;customerID;customerName;ha1;ha1_sha256;ha1_sha512t256;rpid 1;3105738133;sip.rs.digidial.net;xxx;\N;PPC Home;Fax;3105738133;b...@planeparts.com;2012-07-05 16:36:13;2021-11-07 13:58:34;;0;72;DigiLink Internet Services\N I would like to point out that the /_*exact same configuration*_/ works properly in OpenSER v1.1 with exactly the same database table and entry I tried your suggestion (see code snipet below) and still no joy... All that was accomplished was the realm got set to the ip server's SRV name 'sip.rs.digidial.net' (see debug output below). if (!www_authorize("", "subscriber")) { #xlog("L_INFO","CHALLENGE: [$ft][$tt]"); www_challenge("", "auth,auth-int", "MD5,MD5-sess,SHA-256,SHA-256-sess"); exit; } else { #xlog("L_ALERT", "REGISTER: URI [$tu] - FAILED"); xlog("L_ALERT", "REGISTER: URI [$tu][$rU]$ru credential from [$si] - FAILED!"); sl_send_reply(403, "Not Authorized!"); exit; } I left the subscriber table entry as above and the test failed. I changed the domain of the subscriber to sip.rs.digidial.net and it still failed with exactly the same message - see below. Debug output: Sep 6 11:34:42 [4299] DBG:core:parse_msg: SIP Request: Sep 6 11:34:42 [4299] DBG:core:parse_msg: method: Sep 6 11:34:42 [4299] DBG:core:parse_msg: uri: Sep 6 11:34:42 [4299] DBG:core:parse_msg: version: Sep 6 11:34:42 [4299] DBG:core:parse_headers: flags= Sep 6 11:34:42 [4299] DBG:core:_parse_to: end of header reached, state=10 Sep 6 11:34:42 [4299] DBG:core:_parse_to: display={}, ruri={sip:3970@23.253.166.155} Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: [27]; uri=[sip:3970@23.253.166.155] Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: to body [ ] Sep 6 11:34:42 [4299] DBG:core:parse_via_param: found param type 232, = ; state=6 Sep 6 11:34:42 [4299] DBG:core:parse_via_param: found param type 235, = ; state=17 Sep 6 11:34:42 [4299] DBG:core:parse_via: end of header reached, state=5 Sep 6 11:34:42 [4299] DBG:core:parse_headers: via found, flags= Sep 6 11:34:42 [4299] DBG:core:parse_headers: this is the first via Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: cseq : <1> Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: content_length=0 Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: found end of header Sep 6 11:34:42 [4299] DBG:core:receive_msg: After parse_msg... Sep 6 11:34:42 [4299] DBG:core:receive_msg: preparing to run routing scripts... Sep 6 11:34:42 [4299] DBG:pike:mark_node: search on branch 128 (top=0x7f6aba91fb08) Sep 6 11:34:42 [4299] DBG:pike:mark_node: only first 1 were matched! Sep 6 11:34:42 [4299] DBG:pike:pike_check_req: src IP [128.90.81.216],node=0x7f6aba91fb08; hits=[0,1],[0,0] node_flags=2 func_flags=8 Sep 6 11:34:42 [4299] DBG:maxfwd:is_maxfwd_present: value = 70 Sep 6 11:34:42 [4299] DBG:core:comp_scriptvar: int 27: 501 / 2048 Sep 6 11:34:42 [4299] DBG:core:parse_to_param: tag=e5f4a8407663e4f7a3970 Sep 6 11:34:42 [4299] DBG:core:parse_to_param: end of header reached, state=11 Sep 6 11:34:42 [4299] DBG:core:_parse_to: end of header reached, state=29 Sep 6 11:34:42 [4299] DBG:core:_parse_to: display={}, ruri={sip:3970@23.253.166.155} Sep 6 11:34:42 [4299] DBG:core:parse_headers: flags=78 Sep 6 11:34:42 [4299] DBG:core:parse_headers: flags=200 Sep 6 11:34:42 [4299] DBG:rr:find_first_route: No Route headers found Sep 6 11:34:42 [4299] DBG:rr:loose_route: There is no Route HF Sep 6 11:34:42 [4299] DBG:core:comp_scriptvar: ip 20: 128.90.81.216 Sep 6 11:34:42 [4299] DBG:core:comp_scriptvar: ip 20: 128.90.81.216 Sep 6 11:34:42 [4299] DBG:core:comp_scriptvar: ip 20: 128.90.81.216 Sep 6 11:34:42 [4299] DBG:core:comp_scriptvar: ip 20: 128.90.81.216 Sep 6 11:34:42 [4299] DBG:core:comp_scriptvar: ip 20: 128.90.81.216 Sep 6 11:34:42 [4299] D
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Hi Bob, Well, the logs cover only the challenge part, the handling of the REGISTER without any credentials - this is the first normal step in the digest auth process. As per log, no Auth hdrs are found in the incoming REGISTER and a challenge reply is built and sent back (see the last log line below): Sep 6 11:34:42 [4299] DBG:core:pv_get_authattr: no [Proxy-]Authorization header Sep 6 11:34:42 [4299] [e5f4a8407663e4f7a3970][]@[] - Processing registrationSep 6 11:34:42 [4299] DBG:core:parse_headers: flags=4000 Sep 6 11:34:42 [4299] DBG:auth:pre_auth: credentials with given realm not found Sep 6 11:34:42 [4299] DBG:auth:reserve_nonce_index: second= 19, sec_monit= 22, index= 36 Sep 6 11:34:42 [4299] DBG:auth:challenge: nonce index= 36 Sep 6 11:34:42 [4299] DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="23.253.166.155", nonce="945VEH4DrBNkbwzJOMTyiEbNih+ChrtOdEF1sn9J0QAA", qop="auth", algorithm=MD5 But normally it should be a second incoming REGISTER (as response to the challenge) with credentials this time. Do you have the logs from both REGISTER requests and eventually the SIP capture for them? Best regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 9/6/22 9:47 PM, Bob Atkins wrote: Hi Iancu, Thank you very much for your reply. Please ignore my previous message - it got sent prematurely. Like you, I am mystified by the fact that it says that it cannot find the domain realm when it is actually in the table. Keep in mind that I changed the code to specifically see the return result from www_authorize in my earlier tests and found that www_authorize returns [-4] which means (no credentials) - credentials were not found in request. WHy is it returning a -4?? Why is that -4 being passing the if (!www_authorize("", "subscriber")) { statement in the first place. It should not fall through to the challenge with a -4 return. There is also no reason why the credentials should not be there - they have certainly not been consumed before this point. Here is the subscriber table entry for reference: id;username;domain;password;cr_preferred_carrier;first_name;last_name;phone;email_address;datetime_created;datetime_modified;confirmation;flag;sendnotification;greeting;allow_find;timezone;customerID;customerName;ha1;ha1_sha256;ha1_sha512t256;rpid 1;3105738133;sip.rs.digidial.net;xxx;\N;PPC Home;Fax;3105738133;b...@planeparts.com;2012-07-05 16:36:13;2021-11-07 13:58:34;;0;72;DigiLink Internet Services\N I would like to point out that the /_*exact same configuration*_/ works properly in OpenSER v1.1 with exactly the same database table and entry I tried your suggestion (see code snipet below) and still no joy... All that was accomplished was the realm got set to the ip server's SRV name 'sip.rs.digidial.net' (see debug output below). if (!www_authorize("", "subscriber")) { #xlog("L_INFO","CHALLENGE: [$ft][$tt]"); www_challenge("", "auth,auth-int", "MD5,MD5-sess,SHA-256,SHA-256-sess"); exit; } else { #xlog("L_ALERT", "REGISTER: URI [$tu] - FAILED"); xlog("L_ALERT", "REGISTER: URI [$tu][$rU]$ru credential from [$si] - FAILED!"); sl_send_reply(403, "Not Authorized!"); exit; } I left the subscriber table entry as above and the test failed. I changed the domain of the subscriber to sip.rs.digidial.net and it still failed with exactly the same message - see below. Debug output: Sep 6 11:34:42 [4299] DBG:core:parse_msg: SIP Request: Sep 6 11:34:42 [4299] DBG:core:parse_msg: method: Sep 6 11:34:42 [4299] DBG:core:parse_msg: uri: Sep 6 11:34:42 [4299] DBG:core:parse_msg: version: Sep 6 11:34:42 [4299] DBG:core:parse_headers: flags= Sep 6 11:34:42 [4299] DBG:core:_parse_to: end of header reached, state=10 Sep 6 11:34:42 [4299] DBG:core:_parse_to: display={}, ruri={sip:3970@23.253.166.155} Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: [27]; uri=[sip:3970@23.253.166.155] Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: to body [ ] Sep 6 11:34:42 [4299] DBG:core:parse_via_param: found param type 232, = ; state=6 Sep 6 11:34:42 [4299] DBG:core:parse_via_param: found param type 235, = ; state=17 Sep 6 11:34:42 [4299] DBG:core:parse_via: end of header reached, state=5 Sep 6 11:34:42 [4299] DBG:core:parse_headers: via found, flags= Sep 6 11:34:42 [4299] DBG:core:parse_headers: this is the first via Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: cseq : <1> Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: content_length=0 Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: found end of header Sep 6 11:34:42 [4299] DBG:core:receive_msg: After parse_msg... Sep 6 11:34:42 [4299] DBG:core:receive_msg: preparing
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Hi Bob, The key log is this one: Aug 30 18:19:05 [17809] DBG:auth:pre_auth: credentials with given realm not found Basically OpenSIPS says it does not find the "digilink.net" realm in the provided auth header in REGISTER. As a quick experiment, could you use the empty string "" for realm (instead of "digilink.net") in the www_authorize/challenge() functions ? Best regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 8/31/22 4:31 AM, Bob Atkins wrote: Hi. Have been a long time OpenSER user in a production environment. I managed to convert to OpenSIPS v3.2.8 on a CentOS 7 system and is working based on IP authentication however, I just cannot get sip registrations to work that used to work fine with OpenSER. I'm using a SPA112 running 1.4.1(SR5) as a test device. This device registers just fine with Asterisk and OpenSER v1.1 with exactly the same credentials but no matter what I have tried it just won't register with OpenSIPS v3.2.8. I am using auth_db and mysql. I have verified that all sql data is correct. I have been banging my head against the screen for hours to no avail. In reviewing the debug and log output I can clearly see that something is wrong because the user name and domain are both ? www_authorize returns [-4] which means (no credentials) - credentials were not found in request. There is no reason why the credentials should not be there - they have certainly not been consumed before this point. This same device registers just fine with /_*exactly *_/the same credentials to both OpenSER v1.1 and asterisk servers. Would be grateful if anyone can shed some light on this because it seems to me that something inside auth or auth_db is broken and not extracting the registration credentials from the REGISTER message. This code worked just fine in OpenSER v1.1 if (method=="REGISTER") { #xlog("L_INFO","[$rm][$ft][$tt] Processing registration"); if (!www_authorize("digilink.net", "subscriber")) { #xlog("L_INFO","[$rm][$ft][$tt] Challenging peer"); www_challenge("digilink.net", "0"); exit; }; xlog("L_INFO","[$rm][$ft][$tt] Registered $fu from $si"); save("location"); exit; }; This is the code in the OpenSIPS 3.2.8 config that is failing: Here are the module loads and various defines: loadmodule "options.so" loadmodule "textops.so" SIGNALING module loadmodule "signaling.so" StateLess module loadmodule "sl.so" Transaction Module loadmodule "tm.so" modparam("tm", "enable_stats", 1) modparam("tm", "fr_timeout", 9) modparam("tm", "fr_inv_timeout", 120) modparam("tm", "restart_fr_on_each_reply", 0) modparam("tm", "onreply_avp_mode", 1) Record Route Module loadmodule "rr.so" /* do not append from tag to the RR */ modparam("rr", "append_fromtag", 1) loadmodule "uac.so" #modparam("uac","restore_mode","auto") modparam("uac","rr_from_store_param","dns_uac_param") modparam("uac","restore_mode","none") MAX ForWarD module loadmodule "maxfwd.so" SIP MSG OPerationS module loadmodule "sipmsgops.so" FIFO Management Interface loadmodule "mi_fifo.so" modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo") modparam("mi_fifo", "fifo_mode", 0666) USeR LOCation module loadmodule "usrloc.so" modparam("usrloc", "nat_bflag", "NAT") modparam("usrloc", "working_mode_preset", "single-instance-sql-write-back") modparam("usrloc", "db_url", "mysql://opensips:??@localhost/opensips") loadmodule "nathelper.so" modparam("nathelper", "received_avp", "$avp(rcv)") modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT MYSQL module loadmodule "db_mysql.so" loadmodule "avpops.so" AUTH Db module loadmodule "auth.so" loadmodule "auth_db.so" modparam("auth_db", "calculate_ha1", 1) modparam("auth_db", "user_column", "username") modparam("auth_db", "password_column", "password") modparam("auth_db", "use_domain", 0) modparam("auth_db", "db_url", "mysql://opensips:??@localhost/opensips") modparam("auth_db", "load_credentials", "") REGISTRAR module loadmodule "registrar.so" modparam("registrar", "tcp_persistent_flag", "TCP_PERSISTENT") modparam("registrar", "min_expires", 120) modparam("registrar", "max_expires", 3600) modparam("registrar", "default_expires", 3600) modparam("registrar", "max_contacts", 5) modparam("registrar", "received_avp", "$avp(rcv)") Pike DOS protection loadmodule "pike.so" modparam("pike", "sampling_time_unit", 3) modparam("pike", "reqs_density_per_unit", 20) DIALOG module loadmodule "dialog.so" modparam("dialog", "dlg_match_mode", 1) modparam("dialog", "default_timeout", 21600) # 6 hours timeout modparam("dialog", "db_mode", 0) modparam("dialog", "profiles_with_value", "trunkCalls") ACCounting module loadmodule "acc.so" /* what special events