<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
<div class="moz-cite-prefix">On 8/22/12 10:51 AM,
<a class="moz-txt-link-abbreviated" href="mailto:patrice.bodeven@orange.com">patrice.bodeven@orange.com</a> wrote:<br>
</div>
<blockquote
cite="mid:669_1345625487_50349D8F_669_7953_1_F51524208B2244439FE9395DA60B7EB602FBA6@PEXCVZYM14.corporate.adroot.infra.ftgroup"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hello, <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I am working on Kamailio
3.2.2. There is no traffic, only functional test done.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Based on the SIP Client
used until now (Xlite), the INVITE is systematically
authenticated by 407 as there is no Proxy-Authorization in
the initial INVITE. Expected/normal behavior.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">But when using an
internal SIP client, the initial INVITE is generated with a
Proxy-Authorization containing the nonce value used by the
successful registration.
<o:p></o:p></span></p>
<p class="MsoNormal"><u><span lang="EN-US">In Authorization of
Register (the answer is 200OK)<o:p></o:p></span></u></p>
<p class="MsoNormal"><span lang="EN-US">Digest
username=<a class="moz-txt-link-rfc2396E" href="mailto:+33296488922@ims.v0.pftest.net">"+33296488922@ims.v0.pftest.net"</a>,
realm=<a class="moz-txt-link-rfc2396E" href="sip:ims.v0.pftest.net">"sip:ims.v0.pftest.net"</a>, nonce="<span
style="color:red">UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA</span>",
uri=<a class="moz-txt-link-rfc2396E" href="sip:ims.v0.pftest.net">"sip:ims.v0.pftest.net"</a>,
response="4ed51b8e62cf769b19f8c4771e068ad3",
cnonce="06440000000529330fe1", qop=auth, nc=00000011<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><u><span lang="EN-US">In
Proxy-Authorization of Invite <o:p>
</o:p></span></u></p>
<p class="MsoNormal"><span lang="EN-US">Digest
username=<a class="moz-txt-link-rfc2396E" href="mailto:+33296488922@ims.v0.pftest.net">"+33296488922@ims.v0.pftest.net"</a>,
realm=<a class="moz-txt-link-rfc2396E" href="sip:ims.v0.pftest.net">"sip:ims.v0.pftest.net"</a>, nonce="<span
style="color:red">UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA</span>",
uri=<a class="moz-txt-link-rfc2396E" href="sip:0157361149@ims.v0.pftest.net">"sip:0157361149@ims.v0.pftest.net"</a>,
response="b247052d6d5b37e0b6677c816390cb77",
cnonce="06440000000529330fe1", qop=auth, nc=00000012<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">As the nonce expire is
high (see nonce_expire), I don't understand why Kamailio
requests the Authentication of the INVITE by 407.
<o:p></o:p></span></p>
<p class="MsoNormal"><u><span lang="EN-US">407 with
Proxy-Authenticate</span></u><span lang="EN-US">: Digest
realm="ims.v0.pftest.net",
nonce="UDP6pVAzpkWDF+jSlP3zzVYcuNPhY8NQBj62WIA=",
qop="auth", stale=true<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US">Does it mean that the
REGISTER and INVITE are using different Nonce value ? <o:p></o:p></span></b></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:Wingdings"
lang="EN-US">è</span><span lang="EN-US"> Information on my
configuration file.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">modparam("auth_db",
"db_url", DBURLAUTH)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">modparam("auth",
"auth_checks_register", 6) # callid and From TAG<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">modparam("auth", "qop",
"auth") # enable qop=auth<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">modparam("auth",
"nonce_count", 1) # enable nonce_count support
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">modparam("auth",
"nonce_expire", 21600) # Set nonce_expire to 6 hours
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">For register, I do <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> if
(!www_authorize("$ru", "subscriber"))<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> {<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> if($?
== -2 || $? == -3) {<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">
sl_send_reply("403","Forbidden auth ID");<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">
exit;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> }<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> else
{<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">
www_challenge("$ru", "17");<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">
exit;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> }<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> }<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">For invite, I do <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> if
(!proxy_authorize("$fd", "subscriber"))
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> {<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> if($? ==
-2 || $? == -3) {<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">
sl_send_reply("403","Forbidden auth ID");<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> exit;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> }<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> else {<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">
proxy_challenge("$fd", "17");<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">
xlog("L_INFO","INVITE challenged by 407 to :$di:$dp \n");<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> exit;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> }<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> }<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Followed by
consume_credentials();<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks in advance for
your support.</span></p>
</div>
</blockquote>
set debug=3 in your configuration file and watch the log messages.
You should get some leads about why the authentication is not
succeeding.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<blockquote
cite="mid:669_1345625487_50349D8F_669_7953_1_F51524208B2244439FE9395DA60B7EB602FBA6@PEXCVZYM14.corporate.adroot.infra.ftgroup"
type="cite">
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla - <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - <a class="moz-txt-link-freetext" href="http://asipto.com/u/kat">http://asipto.com/u/kat</a></pre>
</body>
</html>