[Asterisk-Dev] Authorization header not formatted properly when REGISTER msg is challenged (algorithm=MD5)

Michael Lunsford michael.lunsford at cbeyond.net
Thu Jul 22 12:55:25 MST 2004


I am new to this forum and am looking for some help on an issue I'm
having with the Asterisk. The company I work for has Cisco BTS 10200s
deployed in several Tier 1 cities through the US with over 13,000
customers to date. Our engineering team is performing interoperability
testing between the Asterisk and the Cisco's BTS 10200 softswitch and
have found an issue.

With our switch configured to authorize the registration from Asterisk,
the Asterisks responds to the challenge (401 Unauthorized) with an error
in the REGISTER message. The authorization header in the REGISTER msg
from the Asterisk contains 'algorithm="MD5"'. The quote around the MD5
are not per spec in RFC 2617 3.2.1
(http://www.ietf.org/rfc/rfc2617.txt).  Section 3.2.2 "The Authorization
Request Header" describes the response a User Agent takes when
challenged with a "401 Unauthorized". It refers section 3.2.1 "The
WWW-Authenticate Response Header" for the framework of the construction
of the message. Referring to 3.2.1, we see that everything that is
supposed to be quoted in the message states either "quoted-string" or
has <"> to indicate that the quotes are supposed to be in the message.
The quotes around the MD5 are not to be included in the message.

In the source, I removed the quotes so that the authorization header in
the REGISTER message now read 'algorithm=MD5' instead of
'algorithm="MD5"'. The BTS 10200 now accepts the message and sends a 200
OK.

Please let me know your thoughts. I am registered to the bug reporting
site but wanted to query and see if others were in agreement with my
interpretation of the spec.

Thanks,
Michael

Immediately below is the SIP debug of the successful call sequence with
the quotes removed around MD5.  Below that is the unsucessful
registration when the quotes are sent.

#############################################################
SIP debug for successful call registration after I have removed the
quotes from around the MD5 in the authorization header.

*CLI> sip reload
 Reloading SIP
  == Parsing '/etc/asterisk/sip.conf': Found
11 headers, 0 lines
Reliably Transmitting:
REGISTER sip:sia-lab2ca102.lab2.cbeyond.net SIP/2.0
Via: SIP/2.0/UDP 90.1.1.202:5060;branch=z9hG4bK15eef8b1
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as64e78660
To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
Call-ID: 6f264ca6263293f5400ccaa527dce06d at 90.1.1.202
CSeq: 102 REGISTER
User-Agent: Asterisk PBX
Expires: 3600
Contact: <sip:4000 at 90.1.1.202>
Event: registration
Content-Length: 0

 (no NAT) to 90.0.4.12:5060


Sip read:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
90.1.1.202:5060;branch=z9hG4bK15eef8b1;received=90.1.1.202
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as64e78660
To:
<sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=1_1102_t9670_537e
Call-ID: 6f264ca6263293f5400ccaa527dce06d at 90.1.1.202
CSeq: 102 REGISTER
WWW-Authenticate: Digest realm="customer10.lab2.cbeyond.net",
nonce="6e2db394cb0ab7851d44d5472b1dac27", algorithm=MD5, qop="auth"
Content-Length: 0


8 headers, 0 lines
12 headers, 0 lines
Reliably Transmitting:
REGISTER sip:sia-lab2ca102.lab2.cbeyond.net SIP/2.0
Via: SIP/2.0/UDP 90.1.1.202:5060;branch=z9hG4bK67fcb845
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as64e78660
To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
Call-ID: 6f264ca6263293f5400ccaa527dce06d at 90.1.1.202
CSeq: 103 REGISTER
User-Agent: Asterisk PBX
Authorization: Digest username="6783979900",
realm="customer10.lab2.cbeyond.net", algorithm=MD5,
uri="sip:sia-lab2ca102.lab2.cbeyond.net",
nonce="6e2db394cb0ab7851d44d5472b1dac27",
response="549eb04688dcea6195e24fb1de1d41d0", opaque="", qop="auth",
cnonce="795cdc3e", nc=00000001
Expires: 3600
Contact: <sip:4000 at 90.1.1.202>
Event: registration
Content-Length: 0

 (no NAT) to 90.0.4.12:5060


Sip read:
SIP/2.0 200 OK
Via: SIP/2.0/UDP
90.1.1.202:5060;branch=z9hG4bK67fcb845;received=90.1.1.202
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as64e78660
To:
<sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=1_1102_t9670_537e
Call-ID: 6f264ca6263293f5400ccaa527dce06d at 90.1.1.202
CSeq: 103 REGISTER
Date: Thu, 22 Jul 2004 19:41:54 GMT
Contact: <sip:4000 at 90.1.1.20>;expires=1226,
<sip:4000 at 90.1.1.202>;expires=3600
Authentication-Info: qop="auth",
rspauth="8369aa16a70f6bef295a0366fcd3b2de", cnonce="795cdc3e",
nc=00000001
Content-Length: 0


10 headers, 0 lines


####################################################
Below is sip debug for unsuccessful registration when Asterisk sends
'algorithm="MD5"'


*CLI> sip reload
 Reloading SIP
  == Parsing '/etc/asterisk/sip.conf': Found
11 headers, 0 lines
Reliably Transmitting:
REGISTER sip:sia-lab2ca102.lab2.cbeyond.net SIP/2.0
Via: SIP/2.0/UDP 90.1.1.202:5060;branch=z9hG4bK4269b1ab
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as034fa66d
To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
Call-ID: 56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202
CSeq: 102 REGISTER
User-Agent: Asterisk PBX
Expires: 3600
Contact: <sip:4000 at 90.1.1.202>
Event: registration
Content-Length: 0

 (no NAT) to 90.0.4.12:5060


Sip read:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
90.1.1.202:5060;branch=z9hG4bK4269b1ab;received=90.1.1.202
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as034fa66d
To:
<sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=1_1102_t9680_1y9b
Call-ID: 56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202
CSeq: 102 REGISTER
WWW-Authenticate: Digest realm="customer10.lab2.cbeyond.net",
nonce="f6576068a2173d58e60f282deb3d3bd5", algorithm=MD5, qop="auth"
Content-Length: 0


8 headers, 0 lines
12 headers, 0 lines
Reliably Transmitting:
REGISTER sip:sia-lab2ca102.lab2.cbeyond.net SIP/2.0
Via: SIP/2.0/UDP 90.1.1.202:5060;branch=z9hG4bK7e9b8de5
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as034fa66d
To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
Call-ID: 56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202
CSeq: 103 REGISTER
User-Agent: Asterisk PBX
Authorization: Digest username="6783979900",
realm="customer10.lab2.cbeyond.net", algorithm="MD5",
uri="sip:sia-lab2ca102.lab2.cbeyond.net",
nonce="f6576068a2173d58e60f282deb3d3bd5",
response="5840d28faf5e5ed95d0fceda4711bd7b", opaque="", qop="auth",
cnonce="655123e8", nc=00000001
Expires: 3600
Contact: <sip:4000 at 90.1.1.202>
Event: registration
Content-Length: 0

 (no NAT) to 90.0.4.12:5060


Sip read:
SIP/2.0 400 Bad Request
Via: SIP/2.0/UDP
90.1.1.202:5060;branch=z9hG4bK7e9b8de5;received=90.1.1.202
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as034fa66d
To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
Call-ID: 56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202
CSeq: 103 REGISTER
Content-Length: 0


7 headers, 0 lines
    -- Got SIP response 400 "Bad Request" back from 90.0.4.12
Destroying call '56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202'



More information about the asterisk-dev mailing list