[asterisk-users] PJSIP tight loop on auth failure
Kingsley Tart - Barritel Ltd
kingsley.tart at barritel.com
Wed Oct 28 12:30:54 CDT 2020
Hi,
We're using Asterisk 13.17.0 with PJSIP 2.8 bundled.
I've found an issue when Asterisk tries to make a SIP call out using
auth, but has the wrong credentials and keeps getting returned a SIP
407, in this example to an OpenSIPs server requiring user auth.
Basically this happens:
1. Asterisk sends plain INVITE to OpenSIPs
2. OpenSIPs responds with SIP 407 auth required with a Proxy-
Authenticate header
3. Asterisk re-sends INVITE to OpenSIPs with Proxy-Authorization
header, but has the wrong password
4. goto step 2 and repeat forever
So what we're seeing is Asterisk re-sending an INVITE with incorrect
auth (which is clearly never going to work), about every 2ms.
The Call-ID remains the same all of the time.
Shouldn't PJSIP realise that this isn't going to work after a few tries
and give up?
The only way I've found of stopping the seemingly infinite loop is to
either restart Asterisk or temporarily block network traffic between
the two machines in order to break the cycle.
Any idea whether this has been fixed in a later version?
This is basically the response coming back from OpenSIPs (anonymised),
whether Asterisk didn't provide
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 100.101.102.103:5060;received=100.101.102.103;rport=5060;branch=z9hG4bKPja942e87d-c501-4834-9184-f002c3fd53d2
From: <sip:01970123456 at 100.101.102.103>;tag=075f669f-9115-42a8-8c98-6170a2910e4b
To: <sip:012345678900 at opensips7a.barritel.com>;tag=c97b4d1cb1f3d0da549e06a8d482ef63.fefa
Call-ID: f79caf90-5b95-4db7-966b-a42e2d372c90
CSeq: 34157 INVITE
Proxy-Authenticate: Digest realm="sip.example.com", nonce="5f96c21800011caac9f7e901848de60a1e186b402bd9b710", qop="auth"
Server: OpenSIPS (1.11.6-tls (x86_64/linux))
Content-Length: 0
The caveat is that whether what OpenSIPs is doing is correct or broken,
our customers can edit the auth on their own SIP gateways, so our
system needs to be able to handle it properly.
Cheers,
Kingsley.
More information about the asterisk-users
mailing list