After checking the log in the client side, here are some interesting
findings:

Here is the what the client side received:

WWW-Authenticate: Digest realm="sip.domain.com",
nonce="3mKlesEwotxnM5nLMMLgQA63E6VTKsTFpEkK7OkoE4QA", qop="auth,auth-int",
algorithm=SHA-256

Then the client side logs show:

15:25:51.858       ...Unsupported digest algorithm "SHA-256"
15:25:51.859      ....SIP registration error: Invalid/unsupported digest
algorithm

Firstly, if the server side did not include SHA-256 in the SIP message,
there would be no such issue. I don't understand why it needs to inform the
client side "SHA-256". Secondly, if the client side just simply ignored
"SHA-256", there would be no such issue. However, the client side treated
it as not supported.

On Thu, Sep 15, 2022 at 3:16 PM jacky z <zjack0...@gmail.com> wrote:

> Hi Bogdan-Andrei,
>
> I tried either specifying it or not. Neither worked. Here is the script
> when I tried:
>
> www_challenge("","auth,auth-int","SHA-256");
>
> I also tried specifying the realm in the above code. When the above is
> used, there is no such error, but always returns 401. I checked the column
> ha1_sha256 and the hash of the password is correct.
>
> Thanks!
>
> On Thu, Sep 15, 2022 at 2:07 PM Bogdan-Andrei Iancu <bog...@opensips.org>
> wrote:
>
>> Hi,
>>
>> In your opensips.cfg, when doing auth challenge to the end points, do you
>> specify the SHA256 alg?
>>
>> https://opensips.org/html/docs/modules/3.2.x/auth.html#func_www_challenge
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>   https://www.opensips-solutions.com
>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>   https://www.opensips.org/events/Summit-2022Athens/
>>
>> On 9/15/22 7:18 AM, jacky z wrote:
>>
>> Hi Team,
>>
>> Does ha1_sha256 work in general opensips config settings? I have the
>> following in the scripts:
>>
>> modparam("auth_db", "calculate_ha1", 0)
>>
>> modparam("auth_db", "password_column", "ha1_sha256")
>>
>>
>> but got the following error in the log:
>>
>>
>> /usr/sbin/opensips[28261]: ERROR:auth:auth_calc_HA1: Incorrect length of
>> pre-hashed credentials for the algorithm "MD5": 32 expected, 64 provided
>>
>>
>> It seems though the sha256 was specified, but the server still calculated
>> MD5 and compared with the database column ha1_sha256.
>>
>> On Tue, Aug 9, 2022 at 5:39 PM Bogdan-Andrei Iancu <bog...@opensips.org>
>> wrote:
>>
>>> Hi Bela,
>>>
>>> The OCP does not support ha1_sha256 AFAIK. Consider opening a feature
>>> request here https://github.com/OpenSIPS/opensips-cp/issues
>>>
>>> Regards,
>>>
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>>   https://www.opensips-solutions.com
>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>   https://www.opensips.org/events/Summit-2022Athens/
>>>
>>> On 6/29/22 9:10 AM, Bela H wrote:
>>>
>>> Hi all,
>>>
>>>
>>>
>>> Is there any way to add new subscriber from OpenSIPS CP 9.3.2 using
>>> password mode ha1_sha256?
>>>
>>> The ha1 (MD5(username:realm:password)) works fine but I had no luck
>>> with the value generation for the ha1_sha256 field in “subscriber” table.
>>>
>>>
>>>
>>> I have this setting:
>>>
>>> modparam("auth_db", "calculate_ha1", 0)
>>>
>>> modparam("auth_db", "password_column", "ha1_sha256")
>>>
>>>
>>>
>>> Thanks!
>>>
>>> Bela
>>>
>>>
>>>
>>>
>>
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Reply via email to