[asterisk-bugs] [JIRA] (ASTERISK-20973) Insecure=very does not work if callerId found in extention

David Woolley (JIRA) noreply at issues.asterisk.org
Mon Jan 28 05:39:58 CST 2013


    [ https://issues.asterisk.org/jira/browse/ASTERISK-20973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=202280#comment-202280 ] 

David Woolley commented on ASTERISK-20973:
------------------------------------------

You seem to be referring to insecure=invite, i.e. the port option is not relevant.

Although widely recommended by ITSPs, insecure=port,invite is rarely the most appropriate setting.  This is a case of when presented with a security feature that is getting in the way, disable it completely, rather than using a least privilege approach.

insecure never controlled the matching by extension (URI in method line).  In fact it doesn't control the match at all (which is done based on IP address or From: header); it controls whether or not, once matched, a 401 response is sent if there is no authentication data on the request, but there is on the sip.conf entry.  Extension matching is performed against extensions.conf, not sip.conf.

The subject is misleading, because insecure=very, itself, is now ignored by Asterisk.
                
> Insecure=very does not work if callerId found in extention
> ----------------------------------------------------------
>
>                 Key: ASTERISK-20973
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20973
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 1.8.20.0
>            Reporter: Badalian Vyacheslav
>            Assignee: Badalian Vyacheslav
>
> Hello all.
> Bug Example:
> I use FreePBX (but i belive that bug in asterisk) and have 1 peer and 10 extentions (assigned numbers is 100-110)
> Host configuration like this:
> [ext-ats]
> type=peer
> host=IP
> insecure=invite,port
> context=from-trunk
> disallow=...
> allow=...
> If i call from [ext-ats] to * and my CallerID is 100 (i have extention 100 in asterisk) i get message like "Auth failed", "username and digest mismatch", but if i call from number Callerid 1000 (i don't have extention 1000 in asterisk) param "insecure" is work as it must. In older version (1.4-1.6) insecure does not check callerid, only host and port.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira



More information about the asterisk-bugs mailing list