[asterisk-users] PJSIP tight loop on auth failure

Olivier oza.4h07 at gmail.com
Thu Oct 29 02:39:52 CDT 2020


Hi,
What if some fail2ban magic could keep OpenSIPs response from hitting
Asterisk after N attempts ?

Le mer. 28 oct. 2020 à 18:32, Kingsley Tart - Barritel Ltd <
kingsley.tart at barritel.com> a écrit :

> Hi,
>
> We're using Asterisk 13.17.0 with PJSIP 2.8 bundled.
>
> I've found an issue when Asterisk tries to make a SIP call out using
> auth, but has the wrong credentials and keeps getting returned a SIP
> 407, in this example to an OpenSIPs server requiring user auth.
>
> Basically this happens:
>
>    1. Asterisk sends plain INVITE to OpenSIPs
>    2. OpenSIPs responds with SIP 407 auth required with a Proxy-
>       Authenticate header
>    3. Asterisk re-sends INVITE to OpenSIPs with Proxy-Authorization
>       header, but has the wrong password
>    4. goto step 2 and repeat forever
>
> So what we're seeing is Asterisk re-sending an INVITE with incorrect
> auth (which is clearly never going to work), about every 2ms.
>
> The Call-ID remains the same all of the time.
>
> Shouldn't PJSIP realise that this isn't going to work after a few tries
> and give up?
>
> The only way I've found of stopping the seemingly infinite loop is to
> either restart Asterisk or temporarily block network traffic between
> the two machines in order to break the cycle.
>
> Any idea whether this has been fixed in a later version?
>
> This is basically the response coming back from OpenSIPs (anonymised),
> whether Asterisk didn't provide
>
> SIP/2.0 407 Proxy Authentication Required
> Via: SIP/2.0/UDP 100.101.102.103:5060
> ;received=100.101.102.103;rport=5060;branch=z9hG4bKPja942e87d-c501-4834-9184-f002c3fd53d2
> From: <sip:01970123456 at 100.101.102.103
> >;tag=075f669f-9115-42a8-8c98-6170a2910e4b
> To: <sip:012345678900 at opensips7a.barritel.com
> >;tag=c97b4d1cb1f3d0da549e06a8d482ef63.fefa
> Call-ID: f79caf90-5b95-4db7-966b-a42e2d372c90
> CSeq: 34157 INVITE
> Proxy-Authenticate: Digest realm="sip.example.com",
> nonce="5f96c21800011caac9f7e901848de60a1e186b402bd9b710", qop="auth"
> Server: OpenSIPS (1.11.6-tls (x86_64/linux))
> Content-Length: 0
>
> The caveat is that whether what OpenSIPs is doing is correct or broken,
> our customers can edit the auth on their own SIP gateways, so our
> system needs to be able to handle it properly.
>
> Cheers,
> Kingsley.
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20201029/3558c343/attachment.html>


More information about the asterisk-users mailing list