Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Iancu, I understand your thought process. I certainly understand that However, same device, exactly the same credentials and it authenticates properly against 2 other systems. They can't both be wrong and OpenSIPS be correct. For reference this is what I have installed: version: opensips 3.2.8 (x86_64/linux) flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535 poll method support: poll, epoll, sigio_rt, select. main.c compiled on 17:05:59 Aug 17 2022 with gcc 4.8.5 I tried the tool you suggested. Since the device is returning nc=0001,cnonce="30a17663" which is more than the python script uses so I can't get a correct calculation anyway. This is one example that failed Authorization: Digest username="3105738133",realm="digilink.net",nonce="7VOIeF33AVFqNTDVkY+VlYspMPlW/ZD7OJWumYkh0L8A",uri="sip:sip.rs.digidial.net",algorithm=MD5,response="d4922aa870ad36ec61f1b5da0cf6be04",qop=auth,nc=0001,cnonce="30a17663" I found a more comprehensive tool and got the correct result from the above digest (password redacted from the image below): So, this begs the question - why is OpenSIPS getting it wrong? --- Bob There may be some other On 9/8/2022 1:43 AM, Bogdan-Andrei Iancu wrote: I'm quite sure OpenSIPS is computing the auth correctly, after all you are the only one complaining on this. And the point is to identify which side is not doing the proper computing and eventually see why - it may be a setting, a typo, etc... Just my 2 cents on the matter. Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 9/8/22 10:29 AM, Bob Atkins wrote: Iancu, I'm not sure what the point of this would be. Even if it showed that OpenSIPS was calculating incorrectly - then what? The device registers just fine with both asterisk and OpenSER v1.1 with exactly the same parameters. The device is calculating the response correctly for 2 other systems. OpenSIPS is clearly getting it wrong. The question is why? Or even how. This is a pretty basic calculation. --- Bob On 9/7/2022 11:16 PM, Bogdan-Andrei Iancu wrote: Hi Bob, Use the below to double check which party is failing in computing the right auth response. https://openplatform.xyz/sip_register_digest_authentication.html Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 9/7/22 10:46 PM, Bob Atkins wrote: Iancu, Thank you!! You identified the problem. Turns out that I had failed to add the IP for the OpenSIPS proxy to a firewall that was blocking the response from this new sip server (facepalm) to the device :-( So, once I fixed the firewall I thought that would be it... Not my luck. Now it is challenging and /_*rejecting!*_/ The HA1 is failing to compare! But the passwords are correct! Now I am really mystified. I created identical DB entries for this unit in both the original OpenSER system and the OpenSIPS system. Registration to the OpenSER system works perfectly - HA1 validates. When I change the sip server to the new system, to OpenSIPS system fails due to mismatched HA1. Whaaa ?!?! Mismatched HA1 would imply a password failure but I have absolutely, positively verified the passwords in both database entries and the /_*only*_/ thing I change on the device is the sip server. It should just register on the new system. I have attached packet capture of the transaction between the device and teh OpenSIPSs system. I have absolutely, positively copied and pasted (no trailing nl or spaces) and verified that the passwords are the same in both databases and also the same on the device. OpenSER DB subscriber entery phplib_id username domain password first_name last_name phone email_address datetime_created datetime_modified confirmation flag sendnotification greeting ha1 ha1b allow_find timezone rpid domn uuid customerID customerName 3105738133 3105738133 digilink.net PPC Home Fax 3105738133 7/5/2012 16:36 11/7/2021 13:58 o 0 \N \N \N \N 72 DigiLink Internet Services OpenSIPS DB subscriber entry
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
I'm quite sure OpenSIPS is computing the auth correctly, after all you
are the only one complaining on this. And the point is to identify which
side is not doing the proper computing and eventually see why - it may
be a setting, a typo, etc...
Just my 2 cents on the matter.
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/8/22 10:29 AM, Bob Atkins wrote:
Iancu,
I'm not sure what the point of this would be. Even if it showed that
OpenSIPS was calculating incorrectly - then what?
The device registers just fine with both asterisk and OpenSER v1.1
with exactly the same parameters.
The device is calculating the response correctly for 2 other systems.
OpenSIPS is clearly getting it wrong. The question is why? Or even
how. This is a pretty basic calculation.
---
Bob
On 9/7/2022 11:16 PM, Bogdan-Andrei Iancu wrote:
Hi Bob,
Use the below to double check which party is failing in computing the
right auth response.
https://openplatform.xyz/sip_register_digest_authentication.html
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/7/22 10:46 PM, Bob Atkins wrote:
Iancu,
Thank you!! You identified the problem. Turns out that I had failed
to add the IP for the OpenSIPS proxy to a firewall that was blocking
the response from this new sip server (facepalm) to the device :-(
So, once I fixed the firewall I thought that would be it... Not my luck.
Now it is challenging and /_*rejecting!*_/ The HA1 is failing to
compare! But the passwords are correct! Now I am really mystified.
I created identical DB entries for this unit in both the original
OpenSER system and the OpenSIPS system.
Registration to the OpenSER system works perfectly - HA1 validates.
When I change the sip server to the new system, to OpenSIPS system
fails due to mismatched HA1. Whaaa ?!?!
Mismatched HA1 would imply a password failure but I have absolutely,
positively verified the passwords in both database entries and the
/_*only*_/ thing I change on the device is the sip server. It should
just register on the new system. I have attached packet capture of
the transaction between the device and teh OpenSIPSs system.
I have absolutely, positively copied and pasted (no trailing nl or
spaces) and verified that the passwords are the same in both
databases and also the same on the device.
OpenSER DB subscriber entery
phplib_id username domain password first_name last_name phone
email_address datetime_created datetime_modified confirmation
flag sendnotification greeting ha1 ha1b allow_find timezone
rpid domn uuid customerID customerName
3105738133 3105738133 digilink.net PPC Home Fax
3105738133
7/5/2012 16:36 11/7/2021 13:58
o
0 \N \N \N \N 72 DigiLink Internet
Services
OpenSIPS DB subscriber entry
id username domain password cr_preferred_carrier first_name
last_name phone email_address datetime_created datetime_modified
confirmation flag sendnotification greeting allow_find
timezone customerID customerName ha1 ha1_sha256 ha1_sha512t256
rpid
1 3105738133 digidial \N PPC Home Fax 3105738133
b...@planeparts.com 7/5/2012 16:36 11/7/2021 13:58
0
72 DigiLink Internet Services \N
Registration code:
OpenSER system:
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
if (method=="REGISTER") {
#xlog("L_INFO","[$rm][$ft][$tt]
Processing registration");
if (!www_authorize("digilink.net", "subscriber")) {
#xlog("L_INFO","[$rm][$ft][$tt] Challenging peer");
www_challenge("digilink.net", "0");
exit;
};
xlog("L_INFO","[$rm][$ft][$tt] Registered $fu
from $si");
save("location");
exit;
};
==
OpenSIPS system
AUTH Db module
loadmodule "auth.so"
loadmodule "auth_db.so"
modparam("auth_db",
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Bob,
OpenSIPS calculates: HA1 field in DB is an MD5 hash of
"username:domain:password"
At least works for me
From: Bob Atkins<mailto:b...@digilink.net>
Sent: Thursday, 8 September 2022 19:32
To: Bogdan-Andrei Iancu<mailto:bog...@opensips.org>; OpenSIPS users mailling
list<mailto:users@lists.opensips.org>
Subject: Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Iancu,
I'm not sure what the point of this would be. Even if it showed that OpenSIPS
was calculating incorrectly - then what?
The device registers just fine with both asterisk and OpenSER v1.1 with exactly
the same parameters.
The device is calculating the response correctly for 2 other systems.
OpenSIPS is clearly getting it wrong. The question is why? Or even how. This
is a pretty basic calculation.
---
Bob
On 9/7/2022 11:16 PM, Bogdan-Andrei Iancu wrote:
Hi Bob,
Use the below to double check which party is failing in computing the right
auth response.
https://openplatform.xyz/sip_register_digest_authentication.html
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/7/22 10:46 PM, Bob Atkins wrote:
Iancu,
Thank you!! You identified the problem. Turns out that I had failed to add the
IP for the OpenSIPS proxy to a firewall that was blocking the response from
this new sip server (facepalm) to the device :-(
So, once I fixed the firewall I thought that would be it... Not my luck.
Now it is challenging and rejecting! The HA1 is failing to compare! But the
passwords are correct! Now I am really mystified.
I created identical DB entries for this unit in both the original OpenSER
system and the OpenSIPS system.
Registration to the OpenSER system works perfectly - HA1 validates. When I
change the sip server to the new system, to OpenSIPS system fails due to
mismatched HA1. Whaaa ?!?!
Mismatched HA1 would imply a password failure but I have absolutely, positively
verified the passwords in both database entries and the only thing I change on
the device is the sip server. It should just register on the new system. I have
attached packet capture of the transaction between the device and teh OpenSIPSs
system.
I have absolutely, positively copied and pasted (no trailing nl or spaces) and
verified that the passwords are the same in both databases and also the same on
the device.
OpenSER DB subscriber entery
phplib_id
username
domain
password
first_name
last_name
phone
email_address
datetime_created
datetime_modified
confirmation
flag
sendnotification
greeting
ha1
ha1b
allow_find
timezone
rpid
domn
uuid
customerID
customerName
3105738133
3105738133
digilink.net
PPC Home
Fax
3105738133
7/5/2012 16:36
11/7/2021 13:58
o
0
\N
\N
\N
\N
72
DigiLink Internet Services
OpenSIPS DB subscriber entry
id
username
domain
password
cr_preferred_carrier
first_name
last_name
phone
email_address
datetime_created
datetime_modified
confirmation
flag
sendnotification
greeting
allow_find
timezone
customerID
customerName
ha1
ha1_sha256
ha1_sha512t256
rpid
1
3105738133
digidial
\N
PPC Home
Fax
3105738133
b...@planeparts.com<mailto:b...@planeparts.com>
7/5/2012 16:36
11/7/2021 13:58
0
72
DigiLink Internet Services
\N
Registration code:
OpenSER system:
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
if (method=="REGISTER") {
#xlog("L_INFO","[$rm][$ft][$tt] Processing
registration");
if (!www_authorize("digilink.net", "subscriber")) {
#xlog("L_INFO","[$rm][$ft][$tt] Challenging
peer");
www_challenge("digilink.net", "0");
exit;
};
xlog("L_INFO","[$rm][$ft][$tt] Registered $fu from $si");
save("location");
exit;
};
==
OpenSIPS system
AUTH Db module
loadmodule "auth.so"
loadmodule "auth_db.so"
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "use_domain", 1)
modparam("auth_db", "user_column", "username")
modparam("auth_db", "password_column", "password")
modparam("auth_db", "load_credentials", "")
if (is_method("REGISTER")) {
xlog("L_INFO", "REGISTER: [$tu] request from [$si]");
xlog("L_INFO","[$ft][$au]@[$ad] - Processing registration");
xlog("L_INFO", "REGISTER: www_authorize
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Iancu,
I'm not sure what the point of this would be. Even if it showed that
OpenSIPS was calculating incorrectly - then what?
The device registers just fine with both asterisk and OpenSER v1.1 with
exactly the same parameters.
The device is calculating the response correctly for 2 other systems.
OpenSIPS is clearly getting it wrong. The question is why? Or even
how. This is a pretty basic calculation.
---
Bob
On 9/7/2022 11:16 PM, Bogdan-Andrei Iancu wrote:
Hi Bob,
Use the below to double check which party is failing in computing the
right auth response.
https://openplatform.xyz/sip_register_digest_authentication.html
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/7/22 10:46 PM, Bob Atkins wrote:
Iancu,
Thank you!! You identified the problem. Turns out that I had failed
to add the IP for the OpenSIPS proxy to a firewall that was blocking
the response from this new sip server (facepalm) to the device :-(
So, once I fixed the firewall I thought that would be it... Not my luck.
Now it is challenging and /_*rejecting!*_/ The HA1 is failing to
compare! But the passwords are correct! Now I am really mystified.
I created identical DB entries for this unit in both the original
OpenSER system and the OpenSIPS system.
Registration to the OpenSER system works perfectly - HA1 validates.
When I change the sip server to the new system, to OpenSIPS system
fails due to mismatched HA1. Whaaa ?!?!
Mismatched HA1 would imply a password failure but I have absolutely,
positively verified the passwords in both database entries and the
/_*only*_/ thing I change on the device is the sip server. It should
just register on the new system. I have attached packet capture of
the transaction between the device and teh OpenSIPSs system.
I have absolutely, positively copied and pasted (no trailing nl or
spaces) and verified that the passwords are the same in both
databases and also the same on the device.
OpenSER DB subscriber entery
phplib_id username domain password first_name last_name phone
email_address datetime_created datetime_modified confirmation
flag sendnotification greeting ha1 ha1b allow_find timezone
rpid domn uuid customerID customerName
3105738133 3105738133 digilink.net PPC Home Fax
3105738133
7/5/2012 16:36 11/7/2021 13:58
o
0 \N \N \N \N 72 DigiLink Internet
Services
OpenSIPS DB subscriber entry
id username domain password cr_preferred_carrier first_name
last_name phone email_address datetime_created datetime_modified
confirmation flag sendnotification greeting allow_find timezone
customerID customerName ha1 ha1_sha256 ha1_sha512t256 rpid
1 3105738133 digidial \N PPC Home Fax 3105738133
b...@planeparts.com 7/5/2012 16:36 11/7/2021 13:58
0
72 DigiLink Internet Services \N
Registration code:
OpenSER system:
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
if (method=="REGISTER") {
#xlog("L_INFO","[$rm][$ft][$tt]
Processing registration");
if (!www_authorize("digilink.net", "subscriber")) {
#xlog("L_INFO","[$rm][$ft][$tt] Challenging peer");
www_challenge("digilink.net", "0");
exit;
};
xlog("L_INFO","[$rm][$ft][$tt] Registered $fu
from $si");
save("location");
exit;
};
==
OpenSIPS system
AUTH Db module
loadmodule "auth.so"
loadmodule "auth_db.so"
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "use_domain", 1)
modparam("auth_db", "user_column", "username")
modparam("auth_db", "password_column", "password")
modparam("auth_db", "load_credentials", "")
if (is_method("REGISTER")) {
xlog("L_INFO", "REGISTER: [$tu] request from [$si]");
xlog("L_INFO","[$ft][$au]@[$ad] - Processing registration");
xlog("L_INFO", "REGISTER: www_authorize returned
[$var(x)] to authenticate with [$rU]$ru credential");
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Hi Bob,
Use the below to double check which party is failing in computing the
right auth response.
https://openplatform.xyz/sip_register_digest_authentication.html
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/7/22 10:46 PM, Bob Atkins wrote:
Iancu,
Thank you!! You identified the problem. Turns out that I had failed to
add the IP for the OpenSIPS proxy to a firewall that was blocking the
response from this new sip server (facepalm) to the device :-(
So, once I fixed the firewall I thought that would be it... Not my luck.
Now it is challenging and /_*rejecting!*_/ The HA1 is failing to
compare! But the passwords are correct! Now I am really mystified.
I created identical DB entries for this unit in both the original
OpenSER system and the OpenSIPS system.
Registration to the OpenSER system works perfectly - HA1 validates.
When I change the sip server to the new system, to OpenSIPS system
fails due to mismatched HA1. Whaaa ?!?!
Mismatched HA1 would imply a password failure but I have absolutely,
positively verified the passwords in both database entries and the
/_*only*_/ thing I change on the device is the sip server. It should
just register on the new system. I have attached packet capture of the
transaction between the device and teh OpenSIPSs system.
I have absolutely, positively copied and pasted (no trailing nl or
spaces) and verified that the passwords are the same in both databases
and also the same on the device.
OpenSER DB subscriber entery
phplib_id username domain password first_name last_name phone
email_address datetime_created datetime_modified confirmation flag
sendnotification greeting ha1 ha1b allow_find timezone rpid
domn uuid customerID customerName
3105738133 3105738133 digilink.net PPC Home Fax
3105738133
7/5/2012 16:36 11/7/2021 13:58
o
0 \N \N \N \N 72 DigiLink Internet
Services
OpenSIPS DB subscriber entry
id username domain password cr_preferred_carrier first_name
last_name phone email_address datetime_created datetime_modified
confirmation flag sendnotification greeting allow_find timezone
customerID customerName ha1 ha1_sha256 ha1_sha512t256 rpid
1 3105738133 digidial \N PPC Home Fax 3105738133
b...@planeparts.com 7/5/2012 16:36 11/7/2021 13:58
0
72 DigiLink Internet Services \N
Registration code:
OpenSER system:
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
if (method=="REGISTER") {
#xlog("L_INFO","[$rm][$ft][$tt] Processing
registration");
if (!www_authorize("digilink.net", "subscriber")) {
#xlog("L_INFO","[$rm][$ft][$tt]
Challenging peer");
www_challenge("digilink.net", "0");
exit;
};
xlog("L_INFO","[$rm][$ft][$tt] Registered $fu from
$si");
save("location");
exit;
};
==
OpenSIPS system
AUTH Db module
loadmodule "auth.so"
loadmodule "auth_db.so"
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "use_domain", 1)
modparam("auth_db", "user_column", "username")
modparam("auth_db", "password_column", "password")
modparam("auth_db", "load_credentials", "")
if (is_method("REGISTER")) {
xlog("L_INFO", "REGISTER: [$tu] request from [$si]");
xlog("L_INFO","[$ft][$au]@[$ad] - Processing registration");
xlog("L_INFO", "REGISTER: www_authorize returned [$var(x)]
to authenticate with [$rU]$ru credential");
if (!www_authorize("digilink.net", "subscriber")) {
xlog("L_INFO","CHALLENGE: [$ft][$tt]");
www_challenge("digilink.net","auth","MD5");
exit;
} else {
xlog("L_ALERT", "REGISTER: URI [$tu][$rU]$ru
credential from [$si] - FAILED!");
sl_send_reply(403, "Not Authorized!");
exit;
}
xlog("L_INFO", "REGISTER:
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Iancu,
Thank you!! You identified the problem. Turns out that I had failed to
add the IP for the OpenSIPS proxy to a firewall that was blocking the
response from this new sip server (facepalm) to the device :-(
So, once I fixed the firewall I thought that would be it... Not my luck.
Now it is challenging and /_*rejecting!*_/ The HA1 is failing to
compare! But the passwords are correct! Now I am really mystified.
I created identical DB entries for this unit in both the original
OpenSER system and the OpenSIPS system.
Registration to the OpenSER system works perfectly - HA1 validates. When
I change the sip server to the new system, to OpenSIPS system fails due
to mismatched HA1. Whaaa ?!?!
Mismatched HA1 would imply a password failure but I have absolutely,
positively verified the passwords in both database entries and the
/_*only*_/ thing I change on the device is the sip server. It should
just register on the new system. I have attached packet capture of the
transaction between the device and teh OpenSIPSs system.
I have absolutely, positively copied and pasted (no trailing nl or
spaces) and verified that the passwords are the same in both databases
and also the same on the device.
OpenSER DB subscriber entery
phplib_id username domain password first_name last_name phone
email_address datetime_created datetime_modified confirmation flag
sendnotification greeting ha1 ha1b allow_find timezone rpid domn
uuid customerID customerName
3105738133 3105738133 digilink.netPPC Home
Fax 3105738133
7/5/2012 16:36 11/7/2021 13:58
o
0 \N \N \N \N 72 DigiLink Internet
Services
OpenSIPS DB subscriber entry
id username domain password cr_preferred_carrier first_name
last_name phone email_address datetime_created datetime_modified
confirmation flag sendnotification greeting allow_find timezone
customerID customerName ha1 ha1_sha256 ha1_sha512t256 rpid
1 3105738133 digidial \N PPC Home Fax 3105738133
b...@planeparts.com 7/5/2012 16:36 11/7/2021 13:58
0
72 DigiLink Internet Services \N
Registration code:
OpenSER system:
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
if (method=="REGISTER") {
#xlog("L_INFO","[$rm][$ft][$tt] Processing
registration");
if (!www_authorize("digilink.net", "subscriber")) {
#xlog("L_INFO","[$rm][$ft][$tt]
Challenging peer");
www_challenge("digilink.net", "0");
exit;
};
xlog("L_INFO","[$rm][$ft][$tt] Registered $fu from
$si");
save("location");
exit;
};
==
OpenSIPS system
AUTH Db module
loadmodule "auth.so"
loadmodule "auth_db.so"
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "use_domain", 1)
modparam("auth_db", "user_column", "username")
modparam("auth_db", "password_column", "password")
modparam("auth_db", "load_credentials", "")
if (is_method("REGISTER")) {
xlog("L_INFO", "REGISTER: [$tu] request from [$si]");
xlog("L_INFO","[$ft][$au]@[$ad] - Processing registration");
xlog("L_INFO", "REGISTER: www_authorize returned [$var(x)]
to authenticate with [$rU]$ru credential");
if (!www_authorize("digilink.net", "subscriber")) {
xlog("L_INFO","CHALLENGE: [$ft][$tt]");
www_challenge("digilink.net","auth","MD5");
exit;
} else {
xlog("L_ALERT", "REGISTER: URI [$tu][$rU]$ru credential
from [$si] - FAILED!");
sl_send_reply(403, "Not Authorized!");
exit;
}
xlog("L_INFO", "REGISTER: URI [$tu] - [$rm][$ft][$tt]
Registered $fu from $si");
save("location");
exit;
}
Debug output:
Sep 7 09:42:09 [5640] DBG:core:parse_msg: SIP Request:
Sep 7 09:42:09 [5640] DBG:core:parse_msg: method:
Sep 7 09:42:09 [5640] DBG:core:parse_msg: uri:
Sep 7 09:42:09 [5640] DBG:core:parse_msg: version:
Sep 7 09:42:09 [5640]
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Hi Iancu,
Thank you very much for your reply. Please ignore my previous message -
it got sent prematurely.
Like you, I am mystified by the fact that it says that it cannot find
the domain realm when it is actually in the table.
Keep in mind that I changed the code to specifically see the return
result from www_authorize in my earlier tests and found that
www_authorize returns [-4] which means (no credentials) - credentials
were not found in request. WHy is it returning a -4?? Why is that -4
being passing the if (!www_authorize("", "subscriber")) { statement in
the first place. It should not fall through to the challenge with a -4
return.
There is also no reason why the credentials should not be there - they
have certainly not been consumed before this point.
Here is the subscriber table entry for reference:
id;username;domain;password;cr_preferred_carrier;first_name;last_name;phone;email_address;datetime_created;datetime_modified;confirmation;flag;sendnotification;greeting;allow_find;timezone;customerID;customerName;ha1;ha1_sha256;ha1_sha512t256;rpid
1;3105738133;sip.rs.digidial.net;xxx;\N;PPC
Home;Fax;3105738133;b...@planeparts.com;2012-07-05 16:36:13;2021-11-07
13:58:34;;0;72;DigiLink Internet Services\N
I would like to point out that the /_*exact same configuration*_/ works
properly in OpenSER v1.1 with exactly the same database table and entry
I tried your suggestion (see code snipet below) and still no joy... All
that was accomplished was the realm got set to the ip server's SRV name
'sip.rs.digidial.net' (see debug output below).
if (!www_authorize("", "subscriber")) {
#xlog("L_INFO","CHALLENGE: [$ft][$tt]");
www_challenge("", "auth,auth-int",
"MD5,MD5-sess,SHA-256,SHA-256-sess");
exit;
} else {
#xlog("L_ALERT", "REGISTER: URI [$tu] - FAILED");
xlog("L_ALERT", "REGISTER: URI [$tu][$rU]$ru credential
from [$si] - FAILED!");
sl_send_reply(403, "Not Authorized!");
exit;
}
I left the subscriber table entry as above and the test failed. I
changed the domain of the subscriber to sip.rs.digidial.net and it still
failed with exactly the same message - see below.
Debug output:
Sep 6 11:34:42 [4299] DBG:core:parse_msg: SIP Request:
Sep 6 11:34:42 [4299] DBG:core:parse_msg: method:
Sep 6 11:34:42 [4299] DBG:core:parse_msg: uri:
Sep 6 11:34:42 [4299] DBG:core:parse_msg: version:
Sep 6 11:34:42 [4299] DBG:core:parse_headers: flags=
Sep 6 11:34:42 [4299] DBG:core:_parse_to: end of header reached, state=10
Sep 6 11:34:42 [4299] DBG:core:_parse_to: display={},
ruri={sip:3970@23.253.166.155}
Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: [27];
uri=[sip:3970@23.253.166.155]
Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: to body
[
]
Sep 6 11:34:42 [4299] DBG:core:parse_via_param: found param type 232,
= ; state=6
Sep 6 11:34:42 [4299] DBG:core:parse_via_param: found param type 235,
= ; state=17
Sep 6 11:34:42 [4299] DBG:core:parse_via: end of header reached, state=5
Sep 6 11:34:42 [4299] DBG:core:parse_headers: via found,
flags=
Sep 6 11:34:42 [4299] DBG:core:parse_headers: this is the first via
Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: cseq : <1>
Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: content_length=0
Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: found end of header
Sep 6 11:34:42 [4299] DBG:core:receive_msg: After parse_msg...
Sep 6 11:34:42 [4299] DBG:core:receive_msg: preparing to run routing
scripts...
Sep 6 11:34:42 [4299] DBG:pike:mark_node: search on branch 128
(top=0x7f6aba91fb08)
Sep 6 11:34:42 [4299] DBG:pike:mark_node: only first 1 were matched!
Sep 6 11:34:42 [4299] DBG:pike:pike_check_req: src IP
[128.90.81.216],node=0x7f6aba91fb08; hits=[0,1],[0,0] node_flags=2
func_flags=8
Sep 6 11:34:42 [4299] DBG:maxfwd:is_maxfwd_present: value = 70
Sep 6 11:34:42 [4299] DBG:core:comp_scriptvar: int 27: 501 / 2048
Sep 6 11:34:42 [4299] DBG:core:parse_to_param: tag=e5f4a8407663e4f7a3970
Sep 6 11:34:42 [4299] DBG:core:parse_to_param: end of header reached,
state=11
Sep 6 11:34:42 [4299] DBG:core:_parse_to: end of header reached, state=29
Sep 6 11:34:42 [4299] DBG:core:_parse_to: display={},
ruri={sip:3970@23.253.166.155}
Sep 6 11:34:42 [4299] DBG:core:parse_headers: flags=78
Sep 6 11:34:42 [4299] DBG:core:parse_headers: flags=200
Sep 6 11:34:42 [4299] DBG:rr:find_first_route: No Route headers found
Sep 6 11:34:42 [4299] DBG:rr:loose_route: There is no Route HF
Sep 6 11:34:42 [4299] DBG:core:comp_scriptvar: ip 20: 128.90.81.216
Sep 6 11:34:42 [4299] DBG:core:comp_scriptvar: ip 20: 128.90.81.216
Sep 6 11:34:42 [4299] DBG:core:comp_scriptvar: ip 20: 128.90.81.216
Sep 6 11:34:42 [4299] DBG:core:comp_scriptvar: ip 20: 128.90.81.216
Sep 6 11:34:42 [4299] DBG:core:comp_scriptvar: ip 20: 128.90.81.216
Sep 6 11:34:42 [4299]
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Hi Bob,
Well, the logs cover only the challenge part, the handling of the
REGISTER without any credentials - this is the first normal step in the
digest auth process.
As per log, no Auth hdrs are found in the incoming REGISTER and a
challenge reply is built and sent back (see the last log line below):
Sep 6 11:34:42 [4299] DBG:core:pv_get_authattr: no
[Proxy-]Authorization header
Sep 6 11:34:42 [4299] [e5f4a8407663e4f7a3970][]@[] -
Processing registrationSep 6 11:34:42 [4299] DBG:core:parse_headers:
flags=4000
Sep 6 11:34:42 [4299] DBG:auth:pre_auth: credentials with given realm
not found
Sep 6 11:34:42 [4299] DBG:auth:reserve_nonce_index: second= 19,
sec_monit= 22, index= 36
Sep 6 11:34:42 [4299] DBG:auth:challenge: nonce index= 36
Sep 6 11:34:42 [4299] DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest
realm="23.253.166.155",
nonce="945VEH4DrBNkbwzJOMTyiEbNih+ChrtOdEF1sn9J0QAA", qop="auth",
algorithm=MD5
But normally it should be a second incoming REGISTER (as response to the
challenge) with credentials this time. Do you have the logs from both
REGISTER requests and eventually the SIP capture for them?
Best regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/6/22 9:47 PM, Bob Atkins wrote:
Hi Iancu,
Thank you very much for your reply. Please ignore my previous message
- it got sent prematurely.
Like you, I am mystified by the fact that it says that it cannot find
the domain realm when it is actually in the table.
Keep in mind that I changed the code to specifically see the return
result from www_authorize in my earlier tests and found that
www_authorize returns [-4] which means (no credentials) - credentials
were not found in request. WHy is it returning a -4?? Why is that -4
being passing the if (!www_authorize("", "subscriber")) { statement in
the first place. It should not fall through to the challenge with a -4
return.
There is also no reason why the credentials should not be there - they
have certainly not been consumed before this point.
Here is the subscriber table entry for reference:
id;username;domain;password;cr_preferred_carrier;first_name;last_name;phone;email_address;datetime_created;datetime_modified;confirmation;flag;sendnotification;greeting;allow_find;timezone;customerID;customerName;ha1;ha1_sha256;ha1_sha512t256;rpid
1;3105738133;sip.rs.digidial.net;xxx;\N;PPC
Home;Fax;3105738133;b...@planeparts.com;2012-07-05 16:36:13;2021-11-07
13:58:34;;0;72;DigiLink Internet Services\N
I would like to point out that the /_*exact same configuration*_/
works properly in OpenSER v1.1 with exactly the same database table
and entry
I tried your suggestion (see code snipet below) and still no joy...
All that was accomplished was the realm got set to the ip server's SRV
name 'sip.rs.digidial.net' (see debug output below).
if (!www_authorize("", "subscriber")) {
#xlog("L_INFO","CHALLENGE: [$ft][$tt]");
www_challenge("", "auth,auth-int",
"MD5,MD5-sess,SHA-256,SHA-256-sess");
exit;
} else {
#xlog("L_ALERT", "REGISTER: URI [$tu] - FAILED");
xlog("L_ALERT", "REGISTER: URI [$tu][$rU]$ru
credential from [$si] - FAILED!");
sl_send_reply(403, "Not Authorized!");
exit;
}
I left the subscriber table entry as above and the test failed. I
changed the domain of the subscriber to sip.rs.digidial.net and it
still failed with exactly the same message - see below.
Debug output:
Sep 6 11:34:42 [4299] DBG:core:parse_msg: SIP Request:
Sep 6 11:34:42 [4299] DBG:core:parse_msg: method:
Sep 6 11:34:42 [4299] DBG:core:parse_msg: uri:
Sep 6 11:34:42 [4299] DBG:core:parse_msg: version:
Sep 6 11:34:42 [4299] DBG:core:parse_headers: flags=
Sep 6 11:34:42 [4299] DBG:core:_parse_to: end of header reached, state=10
Sep 6 11:34:42 [4299] DBG:core:_parse_to: display={},
ruri={sip:3970@23.253.166.155}
Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: [27];
uri=[sip:3970@23.253.166.155]
Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: to body
[
]
Sep 6 11:34:42 [4299] DBG:core:parse_via_param: found param type 232,
= ; state=6
Sep 6 11:34:42 [4299] DBG:core:parse_via_param: found param type 235,
= ; state=17
Sep 6 11:34:42 [4299] DBG:core:parse_via: end of header reached, state=5
Sep 6 11:34:42 [4299] DBG:core:parse_headers: via found,
flags=
Sep 6 11:34:42 [4299] DBG:core:parse_headers: this is the first via
Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: cseq : <1>
Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: content_length=0
Sep 6 11:34:42 [4299] DBG:core:get_hdr_field: found end of header
Sep 6 11:34:42 [4299] DBG:core:receive_msg: After parse_msg...
Sep 6 11:34:42 [4299] DBG:core:receive_msg: preparing
Re: [OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Hi Bob,
The key log is this one:
Aug 30 18:19:05 [17809] DBG:auth:pre_auth: credentials with given realm
not found
Basically OpenSIPS says it does not find the "digilink.net" realm in the
provided auth header in REGISTER. As a quick experiment, could you use
the empty string "" for realm (instead of "digilink.net") in the
www_authorize/challenge() functions ?
Best regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 8/31/22 4:31 AM, Bob Atkins wrote:
Hi.
Have been a long time OpenSER user in a production environment.
I managed to convert to OpenSIPS v3.2.8 on a CentOS 7 system and is
working based on IP authentication however, I just cannot get sip
registrations to work that used to work fine with OpenSER. I'm using a
SPA112 running 1.4.1(SR5) as a test device. This device registers just
fine with Asterisk and OpenSER v1.1 with exactly the same credentials
but no matter what I have tried it just won't register with OpenSIPS
v3.2.8.
I am using auth_db and mysql. I have verified that all sql data is
correct.
I have been banging my head against the screen for hours to no avail.
In reviewing the debug and log output I can clearly see that something
is wrong because the user name and domain are both ?
www_authorize returns [-4] which means (no credentials) - credentials
were not found in request.
There is no reason why the credentials should not be there - they have
certainly not been consumed before this point.
This same device registers just fine with /_*exactly *_/the same
credentials to both OpenSER v1.1 and asterisk servers.
Would be grateful if anyone can shed some light on this because it
seems to me that something inside auth or auth_db is broken and not
extracting the registration credentials from the REGISTER message.
This code worked just fine in OpenSER v1.1
if (method=="REGISTER") {
#xlog("L_INFO","[$rm][$ft][$tt] Processing registration");
if (!www_authorize("digilink.net", "subscriber")) {
#xlog("L_INFO","[$rm][$ft][$tt] Challenging peer");
www_challenge("digilink.net", "0");
exit;
};
xlog("L_INFO","[$rm][$ft][$tt] Registered $fu from $si");
save("location");
exit;
};
This is the code in the OpenSIPS 3.2.8 config that is failing:
Here are the module loads and various defines:
loadmodule "options.so"
loadmodule "textops.so"
SIGNALING module
loadmodule "signaling.so"
StateLess module
loadmodule "sl.so"
Transaction Module
loadmodule "tm.so"
modparam("tm", "enable_stats", 1)
modparam("tm", "fr_timeout", 9)
modparam("tm", "fr_inv_timeout", 120)
modparam("tm", "restart_fr_on_each_reply", 0)
modparam("tm", "onreply_avp_mode", 1)
Record Route Module
loadmodule "rr.so"
/* do not append from tag to the RR */
modparam("rr", "append_fromtag", 1)
loadmodule "uac.so"
#modparam("uac","restore_mode","auto")
modparam("uac","rr_from_store_param","dns_uac_param")
modparam("uac","restore_mode","none")
MAX ForWarD module
loadmodule "maxfwd.so"
SIP MSG OPerationS module
loadmodule "sipmsgops.so"
FIFO Management Interface
loadmodule "mi_fifo.so"
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
modparam("mi_fifo", "fifo_mode", 0666)
USeR LOCation module
loadmodule "usrloc.so"
modparam("usrloc", "nat_bflag", "NAT")
modparam("usrloc", "working_mode_preset",
"single-instance-sql-write-back")
modparam("usrloc", "db_url", "mysql://opensips:??@localhost/opensips")
loadmodule "nathelper.so"
modparam("nathelper", "received_avp", "$avp(rcv)")
modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
modparam("nathelper", "ping_nated_only", 1) # Ping only clients
behind NAT
MYSQL module
loadmodule "db_mysql.so"
loadmodule "avpops.so"
AUTH Db module
loadmodule "auth.so"
loadmodule "auth_db.so"
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "user_column", "username")
modparam("auth_db", "password_column", "password")
modparam("auth_db", "use_domain", 0)
modparam("auth_db", "db_url",
"mysql://opensips:??@localhost/opensips")
modparam("auth_db", "load_credentials", "")
REGISTRAR module
loadmodule "registrar.so"
modparam("registrar", "tcp_persistent_flag", "TCP_PERSISTENT")
modparam("registrar", "min_expires", 120)
modparam("registrar", "max_expires", 3600)
modparam("registrar", "default_expires", 3600)
modparam("registrar", "max_contacts", 5)
modparam("registrar", "received_avp", "$avp(rcv)")
Pike DOS protection
loadmodule "pike.so"
modparam("pike", "sampling_time_unit", 3)
modparam("pike", "reqs_density_per_unit", 20)
DIALOG module
loadmodule "dialog.so"
modparam("dialog", "dlg_match_mode", 1)
modparam("dialog", "default_timeout", 21600) # 6 hours timeout
modparam("dialog", "db_mode", 0)
modparam("dialog", "profiles_with_value", "trunkCalls")
ACCounting module
loadmodule "acc.so"
/* what special
[OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Hi.
Have been a long time OpenSER user in a production environment.
I managed to convert to OpenSIPS v3.2.8 on a CentOS 7 system and is
working based on IP authentication however, I just cannot get sip
registrations to work that used to work fine with OpenSER. I'm using a
SPA112 running 1.4.1(SR5) as a test device. This device registers just
fine with Asterisk and OpenSER v1.1 with exactly the same credentials
but no matter what I have tried it just won't register with OpenSIPS v3.2.8.
I am using auth_db and mysql. I have verified that all sql data is correct.
I have been banging my head against the screen for hours to no avail.
In reviewing the debug and log output I can clearly see that something
is wrong because the user name and domain are both ?
www_authorize returns [-4] which means (no credentials) - credentials
were not found in request.
There is no reason why the credentials should not be there - they have
certainly not been consumed before this point.
This same device registers just fine with /_*exactly *_/the same
credentials to both OpenSER v1.1 and asterisk servers.
Would be grateful if anyone can shed some light on this because it seems
to me that something inside auth or auth_db is broken and not extracting
the registration credentials from the REGISTER message.
This code worked just fine in OpenSER v1.1
if (method=="REGISTER") {
#xlog("L_INFO","[$rm][$ft][$tt] Processing registration");
if (!www_authorize("digilink.net", "subscriber")) {
#xlog("L_INFO","[$rm][$ft][$tt] Challenging peer");
www_challenge("digilink.net", "0");
exit;
};
xlog("L_INFO","[$rm][$ft][$tt] Registered $fu from $si");
save("location");
exit;
};
This is the code in the OpenSIPS 3.2.8 config that is failing:
Here are the module loads and various defines:
loadmodule "options.so"
loadmodule "textops.so"
SIGNALING module
loadmodule "signaling.so"
StateLess module
loadmodule "sl.so"
Transaction Module
loadmodule "tm.so"
modparam("tm", "enable_stats", 1)
modparam("tm", "fr_timeout", 9)
modparam("tm", "fr_inv_timeout", 120)
modparam("tm", "restart_fr_on_each_reply", 0)
modparam("tm", "onreply_avp_mode", 1)
Record Route Module
loadmodule "rr.so"
/* do not append from tag to the RR */
modparam("rr", "append_fromtag", 1)
loadmodule "uac.so"
#modparam("uac","restore_mode","auto")
modparam("uac","rr_from_store_param","dns_uac_param")
modparam("uac","restore_mode","none")
MAX ForWarD module
loadmodule "maxfwd.so"
SIP MSG OPerationS module
loadmodule "sipmsgops.so"
FIFO Management Interface
loadmodule "mi_fifo.so"
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
modparam("mi_fifo", "fifo_mode", 0666)
USeR LOCation module
loadmodule "usrloc.so"
modparam("usrloc", "nat_bflag", "NAT")
modparam("usrloc", "working_mode_preset", "single-instance-sql-write-back")
modparam("usrloc", "db_url", "mysql://opensips:??@localhost/opensips")
loadmodule "nathelper.so"
modparam("nathelper", "received_avp", "$avp(rcv)")
modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
modparam("nathelper", "ping_nated_only", 1) # Ping only clients
behind NAT
MYSQL module
loadmodule "db_mysql.so"
loadmodule "avpops.so"
AUTH Db module
loadmodule "auth.so"
loadmodule "auth_db.so"
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "user_column", "username")
modparam("auth_db", "password_column", "password")
modparam("auth_db", "use_domain", 0)
modparam("auth_db", "db_url", "mysql://opensips:??@localhost/opensips")
modparam("auth_db", "load_credentials", "")
REGISTRAR module
loadmodule "registrar.so"
modparam("registrar", "tcp_persistent_flag", "TCP_PERSISTENT")
modparam("registrar", "min_expires", 120)
modparam("registrar", "max_expires", 3600)
modparam("registrar", "default_expires", 3600)
modparam("registrar", "max_contacts", 5)
modparam("registrar", "received_avp", "$avp(rcv)")
Pike DOS protection
loadmodule "pike.so"
modparam("pike", "sampling_time_unit", 3)
modparam("pike", "reqs_density_per_unit", 20)
DIALOG module
loadmodule "dialog.so"
modparam("dialog", "dlg_match_mode", 1)
modparam("dialog", "default_timeout", 21600) # 6 hours timeout
modparam("dialog", "db_mode", 0)
modparam("dialog", "profiles_with_value", "trunkCalls")
ACCounting module
loadmodule "acc.so"
/* what special events should be accounted ? */
modparam("acc", "report_cancels", 1)
modparam("acc", "early_media", 1)
/* by default we do not adjust the direct of the sequential requests.
if you enable this parameter, be sure to enable "append_fromtag"
in "rr" module */
modparam("acc", "detect_direction", 0)
modparam("acc", "acc_callid_column", "sip_callid")
modparam("acc", "acc_sip_code_column", "sip_status")
modparam("acc", "acc_method_column", "sip_method")
modparam("acc", "acc_to_tag_column", "totag")
modparam("acc", "acc_from_tag_column", "fromtag")
modparam("acc", "extra_fields", "db:sip_from; sip_to; in_uri;
