[asterisk-users] PJSIP tight loop on auth failure
Joshua C. Colp
jcolp at sangoma.com
Wed Oct 28 12:40:15 CDT 2020
On Wed, Oct 28, 2020 at 2:31 PM Kingsley Tart - Barritel Ltd <
kingsley.tart at barritel.com> wrote:
> Hi,
>
> We're using Asterisk 13.17.0 with PJSIP 2.8 bundled.
>
> I've found an issue when Asterisk tries to make a SIP call out using
> auth, but has the wrong credentials and keeps getting returned a SIP
> 407, in this example to an OpenSIPs server requiring user auth.
>
> Basically this happens:
>
> 1. Asterisk sends plain INVITE to OpenSIPs
> 2. OpenSIPs responds with SIP 407 auth required with a Proxy-
> Authenticate header
> 3. Asterisk re-sends INVITE to OpenSIPs with Proxy-Authorization
> header, but has the wrong password
> 4. goto step 2 and repeat forever
>
> So what we're seeing is Asterisk re-sending an INVITE with incorrect
> auth (which is clearly never going to work), about every 2ms.
>
> The Call-ID remains the same all of the time.
>
> Shouldn't PJSIP realise that this isn't going to work after a few tries
> and give up?
>
> The only way I've found of stopping the seemingly infinite loop is to
> either restart Asterisk or temporarily block network traffic between
> the two machines in order to break the cycle.
>
> Any idea whether this has been fixed in a later version?
>
This is not yet fixed, but is being worked on. I have it as a security
issue currently out of caution (although I don't think we'll treat it as
one after further investigation).
--
Joshua C. Colp
Asterisk Technical Lead
Sangoma Technologies
Check us out at www.sangoma.com and www.asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20201028/1e4795e0/attachment.html>
More information about the asterisk-users
mailing list