[asterisk-bugs] [JIRA] (ASTERISK-22386) Outbound SIP registration, if the auth object's realm option is not set to the same value as the 401's realm, then we fail to create a new REGISTER with auth details

Wed Sep 4 18:51:03 CDT 2013

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=209912#comment-209912 ] 

George Joseph commented on ASTERISK-22386:
------------------------------------------

1)  Gotcha.
2)  Yeah, pjsip_auth_clt_reinit_req does this but in a different context.  Since all we're doing here is searching for a realm not constructing the response, what do you want the behavior to be if there's more than 1 header and the unlikely case that the realms are different?  Practically speaking, for the same realm, the only difference in the headers should be the scheme (which doesn't matter in this context) but different realms???
3)  Gotcha.
4)  Gotcha.

To paraphrase...
When the auth object is used to send challenges, a default of "asterisk" will be used if one isn't specified.
When the auth object is used to send responses, a default of the challenge's realm will be used if one isn't specified.
In both cases, if a realm is specified in the config it is always used.

> Outbound SIP registration, if the auth object's realm option is not set to the same value as the 401's realm, then we fail to create a new REGISTER with auth details
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-22386
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22386
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip, Resources/res_pjsip_outbound_authenticator_digest
>    Affects Versions: 12
>         Environment: SVN-branch-12-r397614M (with patch from ASTERISK-22380)
>            Reporter: Rusty Newton
>            Assignee: Mark Michelson
>         Attachments: full10.txt, full11.txt, outbound_auth_realm_v2.patch, pjsip10.txt, pjsip11.txt
>
>
> Without "realm=<somevalue>" defined we see 
> {noformat}
> [Aug 25 16:57:54] WARNING[21069]: res_pjsip_outbound_authenticator_digest.c:90 digest_create_request_with_auth: Failed to create new request with authentication credentials
> [Aug 25 16:57:54] WARNING[21069]: res_pjsip_outbound_registration.c:387 handle_registration_response: Temporal response '401' received from 'sip:gw1.sip.us' on registration attempt to 'sip:5279938664 at gw1.sip.us', retrying in '15' seconds
> {noformat}
> after the 401 in an outbound REGISTER dialog. The WARNING messages don't really make it clear why we fail to create a new request.
> I'll attach a working and non-working example to make it clear. For Asterisk to issue a new REGISTER request with Authentication I had to define realm specifically with the value we see in the 401's WWW-Authenticate header.
> *In the failing config pjsip10.txt, realm is undefined. The same failure mode occurs with realm defined, but not set specifically to the realm value from the challenge.*
> I'm not sure what the solution here is.
> * It looks like a bug that we *don't* create a new REGISTER without realm specifically defined
> * If it is legit that we are failing out here, can the WARNING be made to detail the issue?
> * Should we be responding with the default realm of "asterisk" or should we be responding using the realm in the challenge if we don't define it specifically in config?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira