[asterisk-users] alwaysauthreject=yes not working as expected

CB kjcsb at xnet.co.nz
Tue Aug 21 04:39:32 CDT 2012 

> > Asterisk 1.4.42
> >
> > Set alwaysauthreject=yes in [general] section of sip.conf.
> > Restarted asterisk
> >
> > However when I attempt to register I still get:
> > [2012-08-08 21:11:34] NOTICE[15689] chan_sip.c: Registration from
> > '<sip:0003330822222261336 at domain.com>' failed for '121.98.1.1' -
> Wrong
> > password
> > [2012-08-08 21:12:42] NOTICE[15689] chan_sip.c: Registration from
> > '<sip:000333082222226133 at domain.com>' failed for '121.98.1.1' - No
> > matching peer found
> >
> > Based on the Asterisk security advisory
> > (http://downloads.asterisk.org/pub/security/AST-2011-011.html) I
> would
> > have expected 1.4.42 to respond the same in both cases (since the
> > issue was fixed in 1.4.41.2). Am I missing something obvious?
> 
> Yes.
> 
> Those are log messages for the administrator's benefit.  They are not
> SIP messages sent in response to the REGISTER request.  The SIP
> messages sent are supposed to be the same not the logging messages.
> 
Yes I agree they are supposed to be the same but they are not. Below is the
dialog when a wrong password is provided with alwaysauthreject=yes:

U 121.98.1.1:1025 -> 203.89.1.1:5060
REGISTER sip:domain.com SIP/2.0..Via: SIP/2.0/UDP 
192.168.1.103:5060;branch=z9hG4bK-d8754z-d88996fba8b1fd8c-1---d8754z-
;rport..Max-Forwards: 70..C
ontact: 
<sip:12322222261336 at 192.168.1.103:5060;rinstance=da68419a02006162>.
.To: <sip:12322222261336 at domain.com>..From: 
<sip:1232222
2261336 at domain.com>;tag=f910aa53..Call-ID: 
ZmM4YTU4NTg2MWNhYzVkYTBhN2Q2MjA1YmUyMmYzY2E...CSeq: 1 REGISTER..Expires: 
3600..Allow: INVITE, ACK, CANC
EL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO..User-Agent: 
X-Lite release 5.0.0 stamp 67284..Content-Length: 0....

U 203.89.1.1:5060 -> 121.98.1.1:1025
SIP/2.0 100 Trying..Via: SIP/2.0/UDP 
192.168.1.103:5060;branch=z9hG4bK-d8754z-d88996fba8b1fd8c-1---d8754z-
;received=121.98.1.1;rport=1025..From: <sip:000333
0822222261336 at domain.com>;tag=f910aa53..To: 
<sip:12322222261336 at domain.com>..Call-ID: 
ZmM4YTU4NTg2MWNhYzVkYTBhN2Q2MjA1YmUyMmYzY
2E...CSeq: 1 REGISTER..User-Agent: Asterisk PBX..Allow: INVITE, ACK, 
CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO..Supported: 
replaces..Content-Length:
0....

U 203.89.1.1:5060 -> 121.98.1.1:1025
SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP 
192.168.1.103:5060;branch=z9hG4bK-d8754z-d88996fba8b1fd8c-1---d8754z-
;received=121.98.1.1;rport=1025..From: <sip:
12322222261336 at domain.com>;tag=f910aa53..To: 
<sip:12322222261336 at domain.com>;tag=as16fea110..Call-
ID: ZmM4YTU4NTg2MWNhYzVk
YTBhN2Q2MjA1YmUyMmYzY2E...CSeq: 1 REGISTER..User-Agent: Asterisk 
PBX..Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, 
INFO..Supported: repla
ces..WWW-Authenticate: Digest algorithm=MD5, realm="domain.com", 
nonce="2f48b121"..Content-Length: 0....

U 121.98.1.1:1025 -> 203.89.1.1:5060
REGISTER sip:domain.com SIP/2.0..Via: SIP/2.0/UDP 
192.168.1.103:5060;branch=z9hG4bK-d8754z-5c88940128ede618-1---d8754z-
;rport..Max-Forwards: 70..C
ontact: 
<sip:12322222261336 at 192.168.1.103:5060;rinstance=da68419a02006162>.
.To: <sip:12322222261336 at domain.com>..From: 
<sip:1232222
2261336 at domain.com>;tag=f910aa53..Call-ID: 
ZmM4YTU4NTg2MWNhYzVkYTBhN2Q2MjA1YmUyMmYzY2E...CSeq: 2 REGISTER..Expires: 
3600..Allow: INVITE, ACK, CANC
EL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO..User-Agent: 
X-Lite release 5.0.0 stamp 67284..Authorization: Digest 
username="12322222261336",re
alm="domain.com",nonce="2f48b121",uri="sip:c-vm-
02.domain.com",response="cb74a7805412a3ac198800aeede3c06e",algorit
hm=MD5..Content-Length: 0....

U 203.89.1.1:5060 -> 121.98.1.1:1025
SIP/2.0 100 Trying..Via: SIP/2.0/UDP 
192.168.1.103:5060;branch=z9hG4bK-d8754z-5c88940128ede618-1---d8754z-
;received=121.98.1.1;rport=1025..From: <sip:000333
0822222261336 at domain.com>;tag=f910aa53..To: 
<sip:12322222261336 at domain.com>..Call-ID: 
ZmM4YTU4NTg2MWNhYzVkYTBhN2Q2MjA1YmUyMmYzY
2E...CSeq: 2 REGISTER..User-Agent: Asterisk PBX..Allow: INVITE, ACK, 
CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO..Supported: 
replaces..Content-Length:
0....

SIP/2.0 403 Forbidden (Bad auth)..Via: SIP/2.0/UDP 
192.168.1.103:5060;branch=z9hG4bK-d8754z-5c88940128ede618-1---d8754z-
;received=121.98.1.1;rport=1025..Fro
m: <sip:12322222261336 at domain.com>;tag=f910aa53..To:
<sip:12322222261336 at domain.com>;tag=as16fea110..Call-ID: ZmM4YTU4NTg2
MWNhYzVkYTBhN2Q2MjA1YmUyMmYzY2E...CSeq: 2 REGISTER..User-Agent: 
Asterisk PBX..Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, 
SUBSCRIBE, NOTIFY, INFO..Supporte
d: replaces..Content-Length: 0....

Is this a bug or am I missing something obvious?

More information about the asterisk-users mailing list