[Asterisk-Dev] Authorization header not formatted properly when
REGISTER msg is challenged (algorithm=MD5)
Olle E. Johansson
oej at edvina.net
Thu Jul 22 14:23:59 MST 2004
Michael Lunsford wrote:
> I am new to this forum and am looking for some help on an issue I'm
> having with the Asterisk. The company I work for has Cisco BTS 10200s
> deployed in several Tier 1 cities through the US with over 13,000
> customers to date. Our engineering team is performing interoperability
> testing between the Asterisk and the Cisco's BTS 10200 softswitch and
> have found an issue.
> With our switch configured to authorize the registration from Asterisk,
> the Asterisks responds to the challenge (401 Unauthorized) with an error
> in the REGISTER message. The authorization header in the REGISTER msg
> from the Asterisk contains 'algorithm="MD5"'. The quote around the MD5
> are not per spec in RFC 2617 3.2.1
> (http://www.ietf.org/rfc/rfc2617.txt). Section 3.2.2 "The Authorization
> Request Header" describes the response a User Agent takes when
> challenged with a "401 Unauthorized". It refers section 3.2.1 "The
> WWW-Authenticate Response Header" for the framework of the construction
> of the message. Referring to 3.2.1, we see that everything that is
> supposed to be quoted in the message states either "quoted-string" or
> has <"> to indicate that the quotes are supposed to be in the message.
> The quotes around the MD5 are not to be included in the message.
> In the source, I removed the quotes so that the authorization header in
> the REGISTER message now read 'algorithm=MD5' instead of
> 'algorithm="MD5"'. The BTS 10200 now accepts the message and sends a 200
You are right. This needs to be changed. Open a bug in bugs.digium.com
RFC3261 examples clearly have algorithm=MD5 without quotes.
More information about the asterisk-dev