[Asterisk-Dev] Authorization header not formatted properly when REGISTER msg is challenged (algorithm=MD5)

Rob Gagnon rob at networkip.net
Thu Jul 22 15:47:00 MST 2004


This is interesting....  You obviously are right, in that the quotes fix
your problem.  The issue seems to stem from an inconsistency in RFC3261...

Sections 20.27, and 20.44 show examples with the MD5 without quotes:
   Example:
      Proxy-Authenticate: Digest realm="atlanta.com",
      domain="sip:ss1.carrier.com", qop="auth",
      nonce="f84f1cec41e6cbe5aea9c8e88d359",
      opaque="", stale=FALSE, algorithm=MD5

Now, in Section 25.1 (Basic Rules), the value for "algorithm" is shown to
apparently require the quotes:
   algorithm = "algorithm" EQUAL ( "MD5" / "MD5-sess" / token )

So... I would think the solution, for now, is to make this configurable.  I
would imagine there are some devices that require the quotes, some that do
not want it, and some that don't care.

Until the RFC is cleared up, or Cisco modifies their IOS to support either
quoted, or un-quoted values, I don't see much else you can do.

Rob

----- Original Message ----- 
From: "Michael Lunsford" <michael.lunsford at cbeyond.net>
To: <asterisk-dev at lists.digium.com>
Sent: Thursday, July 22, 2004 2:55 PM
Subject: [Asterisk-Dev] Authorization header not formatted properly when
REGISTER msg is challenged (algorithm=MD5)


I am new to this forum and am looking for some help on an issue I'm
having with the Asterisk. The company I work for has Cisco BTS 10200s
deployed in several Tier 1 cities through the US with over 13,000
customers to date. Our engineering team is performing interoperability
testing between the Asterisk and the Cisco's BTS 10200 softswitch and
have found an issue.

With our switch configured to authorize the registration from Asterisk,
the Asterisks responds to the challenge (401 Unauthorized) with an error
in the REGISTER message. The authorization header in the REGISTER msg
from the Asterisk contains 'algorithm="MD5"'. The quote around the MD5
are not per spec in RFC 2617 3.2.1
(http://www.ietf.org/rfc/rfc2617.txt).  Section 3.2.2 "The Authorization
Request Header" describes the response a User Agent takes when
challenged with a "401 Unauthorized". It refers section 3.2.1 "The
WWW-Authenticate Response Header" for the framework of the construction
of the message. Referring to 3.2.1, we see that everything that is
supposed to be quoted in the message states either "quoted-string" or
has <"> to indicate that the quotes are supposed to be in the message.
The quotes around the MD5 are not to be included in the message.

In the source, I removed the quotes so that the authorization header in
the REGISTER message now read 'algorithm=MD5' instead of
'algorithm="MD5"'. The BTS 10200 now accepts the message and sends a 200
OK.

Please let me know your thoughts. I am registered to the bug reporting
site but wanted to query and see if others were in agreement with my
interpretation of the spec.

Thanks,
Michael

Immediately below is the SIP debug of the successful call sequence with
the quotes removed around MD5.  Below that is the unsucessful
registration when the quotes are sent.

#############################################################
SIP debug for successful call registration after I have removed the
quotes from around the MD5 in the authorization header.

*CLI> sip reload
 Reloading SIP
  == Parsing '/etc/asterisk/sip.conf': Found
11 headers, 0 lines
Reliably Transmitting:
REGISTER sip:sia-lab2ca102.lab2.cbeyond.net SIP/2.0
Via: SIP/2.0/UDP 90.1.1.202:5060;branch=z9hG4bK15eef8b1
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as64e78660
To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
Call-ID: 6f264ca6263293f5400ccaa527dce06d at 90.1.1.202
CSeq: 102 REGISTER
User-Agent: Asterisk PBX
Expires: 3600
Contact: <sip:4000 at 90.1.1.202>
Event: registration
Content-Length: 0

 (no NAT) to 90.0.4.12:5060


Sip read:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
90.1.1.202:5060;branch=z9hG4bK15eef8b1;received=90.1.1.202
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as64e78660
To:
<sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=1_1102_t9670_537e
Call-ID: 6f264ca6263293f5400ccaa527dce06d at 90.1.1.202
CSeq: 102 REGISTER
WWW-Authenticate: Digest realm="customer10.lab2.cbeyond.net",
nonce="6e2db394cb0ab7851d44d5472b1dac27", algorithm=MD5, qop="auth"
Content-Length: 0


8 headers, 0 lines
12 headers, 0 lines
Reliably Transmitting:
REGISTER sip:sia-lab2ca102.lab2.cbeyond.net SIP/2.0
Via: SIP/2.0/UDP 90.1.1.202:5060;branch=z9hG4bK67fcb845
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as64e78660
To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
Call-ID: 6f264ca6263293f5400ccaa527dce06d at 90.1.1.202
CSeq: 103 REGISTER
User-Agent: Asterisk PBX
Authorization: Digest username="6783979900",
realm="customer10.lab2.cbeyond.net", algorithm=MD5,
uri="sip:sia-lab2ca102.lab2.cbeyond.net",
nonce="6e2db394cb0ab7851d44d5472b1dac27",
response="549eb04688dcea6195e24fb1de1d41d0", opaque="", qop="auth",
cnonce="795cdc3e", nc=00000001
Expires: 3600
Contact: <sip:4000 at 90.1.1.202>
Event: registration
Content-Length: 0

 (no NAT) to 90.0.4.12:5060


Sip read:
SIP/2.0 200 OK
Via: SIP/2.0/UDP
90.1.1.202:5060;branch=z9hG4bK67fcb845;received=90.1.1.202
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as64e78660
To:
<sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=1_1102_t9670_537e
Call-ID: 6f264ca6263293f5400ccaa527dce06d at 90.1.1.202
CSeq: 103 REGISTER
Date: Thu, 22 Jul 2004 19:41:54 GMT
Contact: <sip:4000 at 90.1.1.20>;expires=1226,
<sip:4000 at 90.1.1.202>;expires=3600
Authentication-Info: qop="auth",
rspauth="8369aa16a70f6bef295a0366fcd3b2de", cnonce="795cdc3e",
nc=00000001
Content-Length: 0


10 headers, 0 lines


####################################################
Below is sip debug for unsuccessful registration when Asterisk sends
'algorithm="MD5"'


*CLI> sip reload
 Reloading SIP
  == Parsing '/etc/asterisk/sip.conf': Found
11 headers, 0 lines
Reliably Transmitting:
REGISTER sip:sia-lab2ca102.lab2.cbeyond.net SIP/2.0
Via: SIP/2.0/UDP 90.1.1.202:5060;branch=z9hG4bK4269b1ab
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as034fa66d
To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
Call-ID: 56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202
CSeq: 102 REGISTER
User-Agent: Asterisk PBX
Expires: 3600
Contact: <sip:4000 at 90.1.1.202>
Event: registration
Content-Length: 0

 (no NAT) to 90.0.4.12:5060


Sip read:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
90.1.1.202:5060;branch=z9hG4bK4269b1ab;received=90.1.1.202
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as034fa66d
To:
<sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=1_1102_t9680_1y9b
Call-ID: 56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202
CSeq: 102 REGISTER
WWW-Authenticate: Digest realm="customer10.lab2.cbeyond.net",
nonce="f6576068a2173d58e60f282deb3d3bd5", algorithm=MD5, qop="auth"
Content-Length: 0


8 headers, 0 lines
12 headers, 0 lines
Reliably Transmitting:
REGISTER sip:sia-lab2ca102.lab2.cbeyond.net SIP/2.0
Via: SIP/2.0/UDP 90.1.1.202:5060;branch=z9hG4bK7e9b8de5
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as034fa66d
To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
Call-ID: 56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202
CSeq: 103 REGISTER
User-Agent: Asterisk PBX
Authorization: Digest username="6783979900",
realm="customer10.lab2.cbeyond.net", algorithm="MD5",
uri="sip:sia-lab2ca102.lab2.cbeyond.net",
nonce="f6576068a2173d58e60f282deb3d3bd5",
response="5840d28faf5e5ed95d0fceda4711bd7b", opaque="", qop="auth",
cnonce="655123e8", nc=00000001
Expires: 3600
Contact: <sip:4000 at 90.1.1.202>
Event: registration
Content-Length: 0

 (no NAT) to 90.0.4.12:5060


Sip read:
SIP/2.0 400 Bad Request
Via: SIP/2.0/UDP
90.1.1.202:5060;branch=z9hG4bK7e9b8de5;received=90.1.1.202
From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as034fa66d
To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
Call-ID: 56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202
CSeq: 103 REGISTER
Content-Length: 0


7 headers, 0 lines
    -- Got SIP response 400 "Bad Request" back from 90.0.4.12
Destroying call '56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202'
_______________________________________________
Asterisk-Dev mailing list
Asterisk-Dev at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-dev
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev




More information about the asterisk-dev mailing list