[asterisk-users] Question on calculating PJSIP md5 authentication with NEC

Dan Cropp dan at amtelco.com
Mon Jul 22 10:19:05 CDT 2019

Thank you Joshua.

We are confident the problem is with NEC.

One day, Asterisk PJSIP REGISTER response (md5) was being rejected by NEC.
Next morning, it's suddenly working with no changes to asterisk.  Same exact configuration settings.
Suddenly, last Friday NEC starts rejecting the REGISTER again with no changes to asterisk configuration file.

NEC has since responded that they have a separate PJSIP setting for REGISTRATION.  We are trying to find out more information from them.
NEC claim doesn't explain why it worked for several hours and suddenly stopped working.  This really feels like they have been modifying settings on their end without informing us.


-----Original Message-----
From: asterisk-users <asterisk-users-bounces at lists.digium.com> On Behalf Of Joshua C. Colp
Sent: Monday, July 15, 2019 1:31 PM
To: asterisk-users at lists.digium.com
Subject: Re: [asterisk-users] Question on calculating PJSIP md5 authentication with NEC

On Fri, Jul 12, 2019, at 5:10 PM, Dan Cropp wrote:
> Just tracked down the code for the chan_sip MD5 REGISTER and have been 
> able to verify that chan_sip is calculating the HA1 same as I am 
> calculating the md5_cred for PJSIP
> 3016:abc at xyz.com:3016
> Both chan_sip and PJSIP REGISTER traces show the uri as 
> sip:
> So the HA2 for both as MD5(method:uri) (which in this case is 
> chan_sip response formula with qop detected (sent by NEC) is
> ha1:nonce:noncecount:cnonce:auth:h2
> Using this formula I am able to match it with my Asterisk chan_sip trace. 
> NEC accepts this REGISTER
> Can anyone point me to the area where Asterisk PJSIP would be doing 
> the response for the REGISTER 401 reply?
> NEC does not like the way PJSIP calculates the response value for the 
> REGISTER reply.
> I tried to calculate the response exactly like chan_sip does (using 
> the values from the trace and the HA1/HA2) but it’s not matching what 
> the sip trace shows Asterisk sending for the response.
> Does Asterisk PJSIP support handle this or is it all done by PJSIP? 

The value is given to PJSIP[1] and it does the rest. You could use the password option and trace how PJSIP is calculating it in that scenario, and then switch to MD5 cred after you determine that and make it match.

[1] https://github.com/asterisk/asterisk/blob/master/res/res_pjsip_authenticator_digest.c#L180

Joshua C. Colp
Digium - A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org

-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:

More information about the asterisk-users mailing list