[asterisk-users] PJSIP tight loop on auth failure

Joshua C. Colp jcolp at sangoma.com
Wed Oct 28 12:40:15 CDT 2020


On Wed, Oct 28, 2020 at 2:31 PM Kingsley Tart - Barritel Ltd <
kingsley.tart at barritel.com> wrote:

> Hi,
>
> We're using Asterisk 13.17.0 with PJSIP 2.8 bundled.
>
> I've found an issue when Asterisk tries to make a SIP call out using
> auth, but has the wrong credentials and keeps getting returned a SIP
> 407, in this example to an OpenSIPs server requiring user auth.
>
> Basically this happens:
>
>    1. Asterisk sends plain INVITE to OpenSIPs
>    2. OpenSIPs responds with SIP 407 auth required with a Proxy-
>       Authenticate header
>    3. Asterisk re-sends INVITE to OpenSIPs with Proxy-Authorization
>       header, but has the wrong password
>    4. goto step 2 and repeat forever
>
> So what we're seeing is Asterisk re-sending an INVITE with incorrect
> auth (which is clearly never going to work), about every 2ms.
>
> The Call-ID remains the same all of the time.
>
> Shouldn't PJSIP realise that this isn't going to work after a few tries
> and give up?
>
> The only way I've found of stopping the seemingly infinite loop is to
> either restart Asterisk or temporarily block network traffic between
> the two machines in order to break the cycle.
>
> Any idea whether this has been fixed in a later version?
>

This is not yet fixed, but is being worked on. I have it as a security
issue currently out of caution (although I don't think we'll treat it as
one after further investigation).

-- 
Joshua C. Colp
Asterisk Technical Lead
Sangoma Technologies
Check us out at www.sangoma.com and www.asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20201028/1e4795e0/attachment.html>


More information about the asterisk-users mailing list