[Asterisk-Dev] Authorization header not formatted properly when
REGISTER msg is challenged (algorithm=MD5)
Karl Brose
khb at brose.com
Thu Jul 22 21:02:39 MST 2004
In the RFC the usage of quotes around MD5 and other terms only denotes
the literal inclusion of the term
rather than some value represented by the term, so there is no
inconsistency.
The inconsistency is in the interpretation of the syntax by various
folk, since Asterisk isn't the only UA
that is doing this wrong for MD5
Rob Gagnon wrote:
>This is interesting.... You obviously are right, in that the quotes fix
>your problem. The issue seems to stem from an inconsistency in RFC3261...
>
>Sections 20.27, and 20.44 show examples with the MD5 without quotes:
> Example:
> Proxy-Authenticate: Digest realm="atlanta.com",
> domain="sip:ss1.carrier.com", qop="auth",
> nonce="f84f1cec41e6cbe5aea9c8e88d359",
> opaque="", stale=FALSE, algorithm=MD5
>
>Now, in Section 25.1 (Basic Rules), the value for "algorithm" is shown to
>apparently require the quotes:
> algorithm = "algorithm" EQUAL ( "MD5" / "MD5-sess" / token )
>
>So... I would think the solution, for now, is to make this configurable. I
>would imagine there are some devices that require the quotes, some that do
>not want it, and some that don't care.
>
>Until the RFC is cleared up, or Cisco modifies their IOS to support either
>quoted, or un-quoted values, I don't see much else you can do.
>
>Rob
>
>----- Original Message -----
>From: "Michael Lunsford" <michael.lunsford at cbeyond.net>
>To: <asterisk-dev at lists.digium.com>
>Sent: Thursday, July 22, 2004 2:55 PM
>Subject: [Asterisk-Dev] Authorization header not formatted properly when
>REGISTER msg is challenged (algorithm=MD5)
>
>
>I am new to this forum and am looking for some help on an issue I'm
>having with the Asterisk. The company I work for has Cisco BTS 10200s
>deployed in several Tier 1 cities through the US with over 13,000
>customers to date. Our engineering team is performing interoperability
>testing between the Asterisk and the Cisco's BTS 10200 softswitch and
>have found an issue.
>
>With our switch configured to authorize the registration from Asterisk,
>the Asterisks responds to the challenge (401 Unauthorized) with an error
>in the REGISTER message. The authorization header in the REGISTER msg
>from the Asterisk contains 'algorithm="MD5"'. The quote around the MD5
>are not per spec in RFC 2617 3.2.1
>(http://www.ietf.org/rfc/rfc2617.txt). Section 3.2.2 "The Authorization
>Request Header" describes the response a User Agent takes when
>challenged with a "401 Unauthorized". It refers section 3.2.1 "The
>WWW-Authenticate Response Header" for the framework of the construction
>of the message. Referring to 3.2.1, we see that everything that is
>supposed to be quoted in the message states either "quoted-string" or
>has <"> to indicate that the quotes are supposed to be in the message.
>The quotes around the MD5 are not to be included in the message.
>
>In the source, I removed the quotes so that the authorization header in
>the REGISTER message now read 'algorithm=MD5' instead of
>'algorithm="MD5"'. The BTS 10200 now accepts the message and sends a 200
>OK.
>
>Please let me know your thoughts. I am registered to the bug reporting
>site but wanted to query and see if others were in agreement with my
>interpretation of the spec.
>
>Thanks,
>Michael
>
>Immediately below is the SIP debug of the successful call sequence with
>the quotes removed around MD5. Below that is the unsucessful
>registration when the quotes are sent.
>
>#############################################################
>SIP debug for successful call registration after I have removed the
>quotes from around the MD5 in the authorization header.
>
>*CLI> sip reload
> Reloading SIP
> == Parsing '/etc/asterisk/sip.conf': Found
>11 headers, 0 lines
>Reliably Transmitting:
>REGISTER sip:sia-lab2ca102.lab2.cbeyond.net SIP/2.0
>Via: SIP/2.0/UDP 90.1.1.202:5060;branch=z9hG4bK15eef8b1
>From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as64e78660
>To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
>Call-ID: 6f264ca6263293f5400ccaa527dce06d at 90.1.1.202
>CSeq: 102 REGISTER
>User-Agent: Asterisk PBX
>Expires: 3600
>Contact: <sip:4000 at 90.1.1.202>
>Event: registration
>Content-Length: 0
>
> (no NAT) to 90.0.4.12:5060
>
>
>Sip read:
>SIP/2.0 401 Unauthorized
>Via: SIP/2.0/UDP
>90.1.1.202:5060;branch=z9hG4bK15eef8b1;received=90.1.1.202
>From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as64e78660
>To:
><sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=1_1102_t9670_537e
>Call-ID: 6f264ca6263293f5400ccaa527dce06d at 90.1.1.202
>CSeq: 102 REGISTER
>WWW-Authenticate: Digest realm="customer10.lab2.cbeyond.net",
>nonce="6e2db394cb0ab7851d44d5472b1dac27", algorithm=MD5, qop="auth"
>Content-Length: 0
>
>
>8 headers, 0 lines
>12 headers, 0 lines
>Reliably Transmitting:
>REGISTER sip:sia-lab2ca102.lab2.cbeyond.net SIP/2.0
>Via: SIP/2.0/UDP 90.1.1.202:5060;branch=z9hG4bK67fcb845
>From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as64e78660
>To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
>Call-ID: 6f264ca6263293f5400ccaa527dce06d at 90.1.1.202
>CSeq: 103 REGISTER
>User-Agent: Asterisk PBX
>Authorization: Digest username="6783979900",
>realm="customer10.lab2.cbeyond.net", algorithm=MD5,
>uri="sip:sia-lab2ca102.lab2.cbeyond.net",
>nonce="6e2db394cb0ab7851d44d5472b1dac27",
>response="549eb04688dcea6195e24fb1de1d41d0", opaque="", qop="auth",
>cnonce="795cdc3e", nc=00000001
>Expires: 3600
>Contact: <sip:4000 at 90.1.1.202>
>Event: registration
>Content-Length: 0
>
> (no NAT) to 90.0.4.12:5060
>
>
>Sip read:
>SIP/2.0 200 OK
>Via: SIP/2.0/UDP
>90.1.1.202:5060;branch=z9hG4bK67fcb845;received=90.1.1.202
>From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as64e78660
>To:
><sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=1_1102_t9670_537e
>Call-ID: 6f264ca6263293f5400ccaa527dce06d at 90.1.1.202
>CSeq: 103 REGISTER
>Date: Thu, 22 Jul 2004 19:41:54 GMT
>Contact: <sip:4000 at 90.1.1.20>;expires=1226,
><sip:4000 at 90.1.1.202>;expires=3600
>Authentication-Info: qop="auth",
>rspauth="8369aa16a70f6bef295a0366fcd3b2de", cnonce="795cdc3e",
>nc=00000001
>Content-Length: 0
>
>
>10 headers, 0 lines
>
>
>####################################################
>Below is sip debug for unsuccessful registration when Asterisk sends
>'algorithm="MD5"'
>
>
>*CLI> sip reload
> Reloading SIP
> == Parsing '/etc/asterisk/sip.conf': Found
>11 headers, 0 lines
>Reliably Transmitting:
>REGISTER sip:sia-lab2ca102.lab2.cbeyond.net SIP/2.0
>Via: SIP/2.0/UDP 90.1.1.202:5060;branch=z9hG4bK4269b1ab
>From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as034fa66d
>To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
>Call-ID: 56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202
>CSeq: 102 REGISTER
>User-Agent: Asterisk PBX
>Expires: 3600
>Contact: <sip:4000 at 90.1.1.202>
>Event: registration
>Content-Length: 0
>
> (no NAT) to 90.0.4.12:5060
>
>
>Sip read:
>SIP/2.0 401 Unauthorized
>Via: SIP/2.0/UDP
>90.1.1.202:5060;branch=z9hG4bK4269b1ab;received=90.1.1.202
>From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as034fa66d
>To:
><sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=1_1102_t9680_1y9b
>Call-ID: 56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202
>CSeq: 102 REGISTER
>WWW-Authenticate: Digest realm="customer10.lab2.cbeyond.net",
>nonce="f6576068a2173d58e60f282deb3d3bd5", algorithm=MD5, qop="auth"
>Content-Length: 0
>
>
>8 headers, 0 lines
>12 headers, 0 lines
>Reliably Transmitting:
>REGISTER sip:sia-lab2ca102.lab2.cbeyond.net SIP/2.0
>Via: SIP/2.0/UDP 90.1.1.202:5060;branch=z9hG4bK7e9b8de5
>From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as034fa66d
>To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
>Call-ID: 56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202
>CSeq: 103 REGISTER
>User-Agent: Asterisk PBX
>Authorization: Digest username="6783979900",
>realm="customer10.lab2.cbeyond.net", algorithm="MD5",
>uri="sip:sia-lab2ca102.lab2.cbeyond.net",
>nonce="f6576068a2173d58e60f282deb3d3bd5",
>response="5840d28faf5e5ed95d0fceda4711bd7b", opaque="", qop="auth",
>cnonce="655123e8", nc=00000001
>Expires: 3600
>Contact: <sip:4000 at 90.1.1.202>
>Event: registration
>Content-Length: 0
>
> (no NAT) to 90.0.4.12:5060
>
>
>Sip read:
>SIP/2.0 400 Bad Request
>Via: SIP/2.0/UDP
>90.1.1.202:5060;branch=z9hG4bK7e9b8de5;received=90.1.1.202
>From: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>;tag=as034fa66d
>To: <sip:6783979900 at sia-lab2ca102.lab2.cbeyond.net>
>Call-ID: 56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202
>CSeq: 103 REGISTER
>Content-Length: 0
>
>
>7 headers, 0 lines
> -- Got SIP response 400 "Bad Request" back from 90.0.4.12
>Destroying call '56ecb3a6001b35192b5ee19d4138fe81 at 90.1.1.202'
>_______________________________________________
>Asterisk-Dev mailing list
>Asterisk-Dev at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-dev
>To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
>
>_______________________________________________
>Asterisk-Dev mailing list
>Asterisk-Dev at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-dev
>To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
>
>
>
More information about the asterisk-dev
mailing list