[SR-Users] R: R: publish authentication problem
Daniel-Constantin Mierla
miconda at gmail.com
Tue Apr 28 14:32:55 CEST 2015
Hello,
as you say it is tls, have you taken the trace on client side or on
server side? Also, to rule it out -- you don't have any sbc in between,
right?
For further troubleshooting, can you add the line:
xlog("Proxy-Authorization header is: $hdr(Proxy-Authorization)\n");
before:
if (!auth_check("$fd", "subscriber", "1")) {
Then set debug=3 and test again. Send the logs for the second processing
of the PUBLISH, the one that has credentials in it.
Cheers,
Daniel
On 28/04/15 10:32, Tomas Zanet wrote:
> Hello, yes you are right there's Authentication header in the REGISTER request. I meant realm parameter.
> Anyway, here is the PUBLISH request:
>
> Request-Line: PUBLISH sip:101 at myhome2.xip.bpt.com SIP/2.0
> Via: SIP/2.0/TLS 172.23.254.189:58187;branch=z9hG4bK.58aWk31-b;rport
> From: <sip:101 at myhome2.xip.bpt.com>;tag=cwg1ZGY8e
> To: sip:101 at myhome2.xip.bpt.com
> .......
> Proxy-Authorization: Digest realm="myhome2.xip.bpt.com", nonce="VT5iRFU+YRjzMXdoV+ZGLf9J9FU53SfL", username="101", uri="sip:101 at myhome2.xip.bpt.com", response="8a6c4d3dbac00a4bea2e52f420b1f72c"
>
> And this is the subscriber query:
> mysql> select * from subscriber;
> +----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+
> | id | username | domain | password | email_address | ha1 | ha1b | rpid |
> +----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+
> | 20 | 100 | myhome2.xip.bpt.com | xxx | | .... | ... | NULL |
> | 22 | 101 | myhome2.xip.bpt.com | xxx | | .... | ... | NULL |
> | 23 | 102 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL |
> | 24 | 103 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL |
> | 25 | 120 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL |
> | 26 | 104 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL |
> | 27 | 105 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL |
> | 28 | 106 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL |
> | 29 | 107 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL |
> | 30 | 108 | myhome2.xip.bpt.com | xxx | | .... | ... | NULL |
> | 31 | 109 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL |
> | 32 | 110 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL |
> | 33 | 121 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL |
> | 34 | 130 | myhome2.xip.bpt.com | xxx | | ... | ... | NULL |
> +----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+
>
>
> Just for your better understanding, Kamailio is behind NAT (I set adverting address in the listen parameter) and SIP UAC as well. Moreover, there are sending SIP messages using SIP/TLS.
> Thanks for your help
>
> T.
>
>
>
> Tomas Zanet
> Software Design Department
> tzanet at came.com
> CAME S.p.A.
>
>
> Da: Daniel-Constantin Mierla [mailto:miconda at gmail.com]
> Inviato: martedì 28 aprile 2015 09:26
> A: Tomas Zanet; Kamailio (SER) - Users Mailing List
> Oggetto: Re: R: [SR-Users] publish authentication problem
>
> Hello,
>
> REGISTER should have Authorization header.
>
> Can you paste the headers of such PUBLISH?
>
> The log message you pasted in a previous email shows that the realm was not matching:
>
> Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]: pre_auth(): auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not found
>
> Maybe it is different than From header domain.
>
> Cheers,
> Daniel
> On 28/04/15 09:13, Tomas Zanet wrote:
> Hello, yes it is.
> The real parameter in Proxy-Authorization header is the same for PUBLISH and REGISTER and INVIATE as well.
> I’m doing authentication in this way:
>
> if (!auth_check("$fd", "subscriber", "1")) {
> auth_challenge("$fd", "0");
> exit;
> }
>
>
> Thanks,
> T.
>
>
> Da: Daniel-Constantin Mierla [mailto:miconda at gmail.com]
> Inviato: lunedì 27 aprile 2015 17:56
> A: Kamailio (SER) - Users Mailing List; Tomas Zanet
> Oggetto: Re: [SR-Users] publish authentication problem
>
> Hello,
>
> can you check what is the value of the realm parameter in Proxy-Authorization header of PUBLISH? Is it myhome2.xip.bpt.com?
>
> Cheers,
> Daniel
> On 24/04/15 15:31, Tomas Zanet wrote:
> Hello everyone,
> I’ve been working on a project where I would like to implement RFC6035
> https://tools.ietf.org/html/rfc6035
>
> Basically, after the end of the call, our SIP UAC sends a SIP PUBLISH to Kamailio where there are some useful information about media quality (packet loss, mos, etc..)
> This information is stored by Kamailio with sql_query command…
>
> To achieve this, I implemented a custom route function inside Kamailio cfg file, which handles PUBLISH request, check vq-rtcpxr body and store that information into a database.
> Here is a snippet code:
> # AVPF report route
> route[AVPF] {
> if(!is_method("PUBLISH"))
> return;
> if (has_body("application/vq-rtcpxr"))
> {
> $var(x) = "INSERT INTO quality_reporting_raw(body) VALUES (\"" + $(rb{s.escape.common}) + "\");";
> sql_query("cb", "$(var(x))");
> …… reply 200 ok and so on….
> exit(0)
> }
> }
>
> Everything works fine (almost fine, because the report is stored twice…) if I do the route(AVPF) before authentication, like this…
>
> (main route):
> # handle AVPF reports
> route(AVPF);
>
> # authentication
> route(AUTH);
>
> Instead if I swap these two functions, doing the authentication before publish processing, I have some problems about publish authentication….not for the other requests (INVITE and REGISTER)
> As far as I know From, To and Request-URI must match the authentication user, in the PUBLISH REQUEST as described here
> http://kamailio.org/docs/modules/4.2.x/modules/auth_db.html#auth_db.f.auth_check
>
> I confirm that…I’m sending the SIP PUBLISH from user 101 to user 101, which is currently registered.
>
> My problem is that Kamailio is continuously answering with 407 to the SIP PUBLISH, even if the PUBLISH request has the right Proxy-Authorization header…
> Digging into the log file, I found this :
> Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:486]: auth_check(): realm [myhome2.xip.bpt.com] table [subscriber] flags [1]
> Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]: pre_auth(): auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not found
> Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db [authorize.c:252]: digest_authenticate_hdr(): no credentials
>
> Just for your better understanding I’m doing authorization with db, using subscriber table where there are all the users with 'myhome2.xip.bpt.com' domain…
> In fact, all INVITEs and REGISTERs are correctly authenticated…
>
> Would you mind address me to find out the problem? Maybe, there’s something wrong in my cfg file.
> Thanks in advance
>
> T,
>
>
> --
> Daniel-Constantin Mierla
> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> Kamailio World Conference, May 27-29, 2015
> Berlin, Germany - http://www.kamailioworld.com
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
More information about the sr-users
mailing list