[Asterisk-Users] SIP protocol bug ???

Jan Janak jan at iptel.org
Fri Nov 7 15:50:22 MST 2003


Asterisk was wrong. Every SIP message can be challenged with 401 or 407,
depending on who is challenging.

If you send a REGISTER message then you can get "407 Proxy
Authentication Required" from any proxy along the path of the message.
You can also get "401 Unauthorized" from registrar.

The same for INVITE, you can get a "407 Proxy Authentication Required"
from a proxy and you can also get "401 Unauthorized" from a PSTN gateway, for
example.

The rule of thumb is: If a SIP network element forwards the request then
it will use 407, if it is the final destination for the request (PSTN
gw, registrar, user agent) then it will use 401.

One message can be also challenged several times before it get's to its
final destination.

  Jan.

On 07-11 09:35, mtm spm wrote:
> Hi Olle,
> 
> --- "Olle E. Johansson" <oej at edvina.net> wrote:
> > The first Invite is without credentials, since
> > digest authentication needs input
> > from the server to create credentials.
> 
> This is also what I understood too from rfc.
> I was just confused becouse in the Asterisk code
> there was something like this:
> 
> case 401: /* Not authorized on REGISTER */
> 	if (p->registry && !strcasecmp(msg, "REGISTER")) {
> 		if ((p->authtries > 1) || do_register_auth(p, req,
> "WWW-Authenticate", "Authorization")) {
> 			ast_log(LOG_NOTICE, "Failed to authenticate on
> REGISTER to '%s'\n", get_header(&p->initreq, "From"));
> 			p->needdestroy = 1;
> } else	p->needdestroy = 1;				
> 
> So, only the case of registration was handled in 401.
> 
> However I just added something like:
> 
> if(!strcasecmp(msg, "INVITE")) {
> 		if ((p->authtries > 1) || do_proxy_auth2(p, req,
> "INVITE", 1)) {
> 			ast_log(LOG_NOTICE, "Failed to authenticate on
> INVITE to '%s'\n", get_header(&p->initreq, "From"));
> 			p->needdestroy = 1;
> }
> and I implemented the new function do_proxy_auth2 as a
> modified version of do_proxy_auth to work with
> "Authorization" instead of "Proxy-Authorization" and I
> got the thing to work fine.
> 
> However, I wanted to check with others who was wrong:
> Asterisk or my SIP provider.
> Is this the right thing to do in respect to the
> standard?
> 
> Tnx,
> MTM
> 
> 
> __________________________________
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard
> http://antispam.yahoo.com/whatsnewfree
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users



More information about the asterisk-users mailing list