[asterisk-bugs] [JIRA] (ASTERISK-22386) Outbound SIP registration, if the auth object's realm option is not set to the same value as the 401's realm, then we fail to create a new REGISTER with auth details

Wed Sep 4 17:15:03 CDT 2013

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=209904#comment-209904 ] 

Mark Michelson commented on ASTERISK-22386:
-------------------------------------------

Thanks for the patch! Unfortunately, my inclination is that your approach is not correct for the given problem. The idea behind realm-based authentication is not to always match a realm given in the 401/407. Instead, the intention is to present credentials that match any realms in the 401/407. So in Rusty's original case, it is 100% correct that we could not create a request with authentication credentials since we did not have credentials for the realm presented in the 401. As Rusty stated, this isn't an error in the code, it was a user error and the output should have made it more clear why a request with authentication credentials could not be created.

Now, that being said, there may be some merit to defining the idea of a "wildcard" option for realms in auth sections. So for instance, if we were asked for credentials for a particular realm, then an auth section with a wildcard realm could do as your patch does and match any realm presented in the 401/407. However, this would need to be a separate issue and would be a new feature rather than a bug fix.

> Outbound SIP registration, if the auth object's realm option is not set to the same value as the 401's realm, then we fail to create a new REGISTER with auth details
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-22386
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22386
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip, Resources/res_pjsip_outbound_authenticator_digest
>    Affects Versions: 12
>         Environment: SVN-branch-12-r397614M (with patch from ASTERISK-22380)
>            Reporter: Rusty Newton
>            Assignee: Mark Michelson
>         Attachments: full10.txt, full11.txt, outbound_auth_realm_v2.patch, pjsip10.txt, pjsip11.txt
>
>
> Without "realm=<somevalue>" defined we see 
> {noformat}
> [Aug 25 16:57:54] WARNING[21069]: res_pjsip_outbound_authenticator_digest.c:90 digest_create_request_with_auth: Failed to create new request with authentication credentials
> [Aug 25 16:57:54] WARNING[21069]: res_pjsip_outbound_registration.c:387 handle_registration_response: Temporal response '401' received from 'sip:gw1.sip.us' on registration attempt to 'sip:5279938664 at gw1.sip.us', retrying in '15' seconds
> {noformat}
> after the 401 in an outbound REGISTER dialog. The WARNING messages don't really make it clear why we fail to create a new request.
> I'll attach a working and non-working example to make it clear. For Asterisk to issue a new REGISTER request with Authentication I had to define realm specifically with the value we see in the 401's WWW-Authenticate header.
> *In the failing config pjsip10.txt, realm is undefined. The same failure mode occurs with realm defined, but not set specifically to the realm value from the challenge.*
> I'm not sure what the solution here is.
> * It looks like a bug that we *don't* create a new REGISTER without realm specifically defined
> * If it is legit that we are failing out here, can the WARNING be made to detail the issue?
> * Should we be responding with the default realm of "asterisk" or should we be responding using the realm in the challenge if we don't define it specifically in config?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira