[asterisk-bugs] [JIRA] (ASTERISK-23322) Unable to use SIP INVITE authentication with type=peer and device name mismatch with username

Igor Nikolaev (JIRA) noreply at issues.asterisk.org
Wed Feb 19 23:36:03 CST 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-23322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=215462#comment-215462 ] 

Igor Nikolaev commented on ASTERISK-23322:
------------------------------------------

Well, please explain me how i can make following configuration:

1. My asterisk need to register into remote system via SIP register
2. With this registered (peer? friend?) i must make both inbound and outbound calls
3. Remote system require SIP INVITE auth for outbound calls and support SIP INVITE auth for inbound calls (inbound and outbound as terms of my Asterisk)
4. I'm use realtime sip peers (but this not important, may be configuration stored into *.conf files), but SIP device names in the my Asterisk must be different with auth names from remote system (important).

If i describe this connection as type=peer, then i can REGISTER into remote system, make outbound calls with SIP INVITE auth, but can't accept inbound calls w/o setting insecure=invite (else i got error "username mismatch, have <%s>, digest has <%s>").

The same issue i can see when i describe this peer with type=friend (because auth name got from peer->name field from sip_peer structure). This is wrong because my internal device name (peer->name) must not be known to the remote system, it's used only 
- into my asterisk system as device name (ex. Dial application etc);
- when other systems which register with my asterisk.


                
> Unable to use SIP INVITE authentication with type=peer and device name mismatch with username
> ---------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-23322
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23322
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 11.7.0
>            Reporter: Igor Nikolaev
>            Assignee: Igor Nikolaev
>            Severity: Trivial
>         Attachments: asterisk-chan_sip-inbound-invite-auth.patch
>
>
> Scenario:
> sip.conf
> {noformat}
> [devicename]
> type=peer
> fromuser=authuser
> secret=...
> {noformat}
> In this case if devicename not equal authuser you need add statement "insecure=invite" for receiving incoming calls. But this INVITEs is not authenticated by receiving system. It's security hole.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list