Re: [asterisk-users] Initial REGISTER Request: Contains Credentials before 401: KDDI Japan
Brian,
> KDDI does provide a list of supported equipment and vendors. Specific
> hardware or license based software products that quickly become cost
> prohibitive.
>
> I doubt that Asterisk will find it's way on the list any time soon. Because
> KDDI follows the traditional "big telco" method of interoperability, which
> normally means licensing products for use on their network.
That's exactly the sort of thing that the industry should be evolving away from.
For now, this should help quiet KDDI's complaints.
Here is a small patch to the transmit_register() function in chan_sip.c that
prevents adding an Authorization header to the initial REGISTER request:
--- certified-asterisk-1.8.15-cert1/channels/chan_sip.c.orig2013-05-16
16:30:12.0 -0400
+++ certified-asterisk-1.8.15-cert1/channels/chan_sip.c 2013-05-16
16:57:49.0 -0400
@@ -13620,6 +13620,8 @@
if (!ast_strlen_zero(global_useragent))
add_header(&req, "User-Agent", global_useragent);
+/* Never add auth header to the initial REGISTER request */
+if (r->regattempts) {
if (auth) { /* Add auth header */
add_header(&req, authheader, auth);
} else if (!ast_strlen_zero(r->nonce)) {
@@ -13647,6 +13649,7 @@
ast_log(LOG_NOTICE, "No authorization available for
authentication of registration to %s@%s\n", r->username, r->hostname);
}
}
+}
snprintf(tmp, sizeof(tmp), "%d", r->expiry);
add_header(&req, "Expires", tmp);
I tested it to make sure it works as advertised, but not thoroughly enough to
be completely confident that there are no side effects. At the very least, it
should be a good starting point for a more robust patch.
Here is a SIP trace of the REGISTER dialog when Asterisk starts or when 'sip
reload' is entered at the CLI.
17:03:39.279847 IP astdev.imminc.com.sip > ekiga.net.sip: SIP, length: 381
REGISTER sip:ekiga.net SIP/2.0
Via: SIP/2.0/UDP 192.168.1.1:5060;branch=z9hG4bK0f4587f3;rport
Max-Forwards: 70
From: ;tag=as1f2818c1
To:
Call-ID: 5f37c0dc188cdd5c02a9a092148ef217@192.168.1.1
CSeq: 104 REGISTER
User-Agent: Asterisk PBX 1.8.15-cert1
Expires: 120
Contact:
Content-Length: 0
17:03:39.370575 IP ekiga.net.sip > astdev.imminc.com.sip: SIP, length: 462
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.1:5060;branch=z9hG4bK0f4587f3;rport=42521
From: ;tag=as1f2818c1
To: ;tag=c64e1f832a41ec1c1f4e5673ac5b80f6.9b08
Call-ID: 5f37c0dc188cdd5c02a9a092148ef217@192.168.1.1
CSeq: 104 REGISTER
WWW-Authenticate: Digest realm="ekiga.net",
nonce="519549c961b09f86679289f055e42960ed06592c052d"
Server: Kamailio (1.5.3-notls (i386/linux))
Content-Length: 0
17:03:39.403113 IP astdev.imminc.com.sip > ekiga.net.sip: SIP, length: 582
REGISTER sip:ekiga.net SIP/2.0
Via: SIP/2.0/UDP 192.168.1.1:5060;branch=z9hG4bK32be996c;rport
Max-Forwards: 70
From: ;tag=as36aa89ae
To:
Call-ID: 5f37c0dc188cdd5c02a9a092148ef217@192.168.1.1
CSeq: 105 REGISTER
User-Agent: Asterisk PBX 1.8.15-cert1
Authorization: Digest username="regtest", realm="ekiga.net", algorithm=MD5,
uri="sip:ekiga.net", nonce="519549c961b09f86679289f055e42960ed06592c052d",
response="e477ad0f835211b06d750a8c3edf88ea"
Expires: 120
Contact:
Content-Length: 0
17:03:39.495126 IP ekiga.net.sip > astdev.imminc.com.sip: SIP, length: 399
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.1:5060;branch=z9hG4bK32be996c;rport=42521
From: ;tag=as36aa89ae
To: ;tag=c64e1f832a41ec1c1f4e5673ac5b80f6.bf7b
Call-ID: 5f37c0dc188cdd5c02a9a092148ef217@192.168.1.1
CSeq: 105 REGISTER
Contact: ;expires=600
Server: Kamailio (1.5.3-notls (i386/linux))
Content-Length: 0
I hope this helps you convince KDDI that Asterisk is a legitimate VoIP platform.
Please reply and let me know how it goes.
Regards,
Matthew Roth
InterMedia Marketing Solutions
Software Engineer and Systems Developer
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Initial REGISTER Request: Contains Credentials before 401: KDDI Japan
Hi Matthew, Thanks for the response. > From: "Matthew J. Roth" > Reply-To: Asterisk Users Mailing List - Non-Commercial Discussion > > Date: Wed, 15 May 2013 12:28:11 -0500 (CDT) > To: Asterisk Users Mailing List - Non-Commercial Discussion > > Subject: Re: [asterisk-users] Initial REGISTER Request: Contains Credentials > before 401 > > Brian LaVallee wrote: >> >> My SIP provider is not happy that credentials (in the Authorization header >> field) are provided in the initial REGISTER request. >> >> The SIP provider ONLY wants the credentials AFTER rejecting the message with >> a 401. >> >> I know it's dumb, because the RFC says that the the initial REGISTER message >> MAY include credentials. If it fails, the proper authentication method is >> included in the 401. I know there is nothing wrong, it is how SIP is >> supposed to work. > > Who is your SIP provider? They need to be called out so that other Asterisk > users can avoid them. This tendency to flip the customer/vendor relationship > on > its head must be discouraged. The SIP provider is KDDI Japan. >> However I would like to keep my SIP provider from complaining. > > The only thing they should complain about is if you don't pay your bill on > time. > >> Asterisk is "NOT SUPPORTED" by the SIP provider. > > The REGISTER request was successful so, at least from a practical standpoint, > the provider does support Asterisk. It would be ideal if all providers > officially supported Asterisk, but this is just one example of how it's not > worth trying to please everyone. I know that the SIP provider is being overly diligent to prevent toll-fraud, but some of their complaints about normal SIP communications have been outrageous. I don't want to go into it, but KDDI has actually complained that the REPLY to the 401 was too fast. >> Does anyone in the Asterisk community know how to avoid sending the >> credentials until AFTER receiving a 401? > > Edit the source. I'm sorry to be blunt, but I really can't see the developers > adding another option to "sip.conf" just to satisfy such a pointless request. > >> Any suggestions would be appreciated! > > Ask the provider what platforms are "supported". Pick one of them and use it > to > configure the "useragent" and "sdpsession" options in "sip.conf". Or look for > another provider that doesn't waste your time complaining about RFC-compliant > behavior. KDDI does provide a list of supported equipment and vendors. Specific hardware or license based software products that quickly become cost prohibitive. I doubt that Asterisk will find it's way on the list any time soon. Because KDDI follows the traditional "big telco" method of interoperability, which normally means licensing products for use on their network. > Regards, > > Matthew Roth > InterMedia Marketing Solutions > Software Engineer and Systems Developer > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: >http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Initial REGISTER Request: Contains Credentials before 401
Brian LaVallee wrote: > > My SIP provider is not happy that credentials (in the Authorization header > field) are provided in the initial REGISTER request. > > The SIP provider ONLY wants the credentials AFTER rejecting the message with > a 401. > > I know it's dumb, because the RFC says that the the initial REGISTER message > MAY include credentials. If it fails, the proper authentication method is > included in the 401. I know there is nothing wrong, it is how SIP is > supposed to work. Who is your SIP provider? They need to be called out so that other Asterisk users can avoid them. This tendency to flip the customer/vendor relationship on its head must be discouraged. > However I would like to keep my SIP provider from complaining. The only thing they should complain about is if you don't pay your bill on time. > Asterisk is "NOT SUPPORTED" by the SIP provider. The REGISTER request was successful so, at least from a practical standpoint, the provider does support Asterisk. It would be ideal if all providers officially supported Asterisk, but this is just one example of how it's not worth trying to please everyone. > Does anyone in the Asterisk community know how to avoid sending the > credentials until AFTER receiving a 401? Edit the source. I'm sorry to be blunt, but I really can't see the developers adding another option to "sip.conf" just to satisfy such a pointless request. > Any suggestions would be appreciated! Ask the provider what platforms are "supported". Pick one of them and use it to configure the "useragent" and "sdpsession" options in "sip.conf". Or look for another provider that doesn't waste your time complaining about RFC-compliant behavior. Regards, Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Initial REGISTER Request: Contains Credentials before 401
My SIP provider is not happy that credentials (in the Authorization header field) are provided in the initial REGISTER request. The SIP provider ONLY wants the credentials AFTER rejecting the message with a 401. I know it's dumb, because the RFC says that the the initial REGISTER message MAY include credentials. If it fails, the proper authentication method is included in the 401. I know there is nothing wrong, it is how SIP is supposed to work. However I would like to keep my SIP provider from complaining. Asterisk is "NOT SUPPORTED" by the SIP provider. Does anyone in the Asterisk community know how to avoid sending the credentials until AFTER receiving a 401? Any suggestions would be appreciated! Sincerely, Brian LaVallee # === # sip.conf # Asterisk 1.8.15-cert1 # --- ; [general] ; ; - trucated ; register=>accountnum...@server.carrier.tld:secret:acco...@proxy.carrier.tld/ DID ; ; - end # === # SIP REGISTER Dialog # --- IP 4.4.4.4.sip > 8.8.8.8.sip: UDP, length 602 REGISTER sip:server.carrier.tld SIP/2.0 Via: SIP/2.0/UDP 4.4.4.4:5060;branch=aAaAaAaAaAaAaAa Max-Forwards: 70 From: ;tag=as6c2d23d4 To: Call-ID: 3e47b75000b0924b6c9ba5759a7cf15d@4.4.4.4 CSeq: 190 REGISTER Authorization: Digest username="account", realm="carrier.tld", algorithm=MD5, uri="sip:sip:8.8.8.8", nonce="1368595443265327", response="0b833bff6d83337f9f88f6fb53bbcef6" Expires: 1800 Contact: Content-Length: 0 IP 8.8.8.8.sip > 4.4.4.4.sip: UDP, length 469 SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 4.4.4.4:5060;branch=aAaAaAaAaAaAaAa From: ;tag=as6c2d23d4 To: ;tag=3577586129 Call-ID: 3e47b75000b0924b6c9ba5759a7cf15d@4.4.4.4 CSeq: 190 REGISTER Content-Length: 0 Date: Wed, 15 May 2013 05:55:29 GMT WWW-Authenticate: Digest realm="carrier.tld", domain="sip:8.8.8.8", nonce="1368597329273572", opaque="", stale=TRUE, algorithm=MD5 IP 4.4.4.4.sip > 8.8.8.8.sip: UDP, length 602 REGISTER sip:server.carrier.tld SIP/2.0 Via: SIP/2.0/UDP 4.4.4.4:5060;branch=BbBbBbBbBbBbBbB Max-Forwards: 70 From: ;tag=as333ffab1 To: Call-ID: 3e47b75000b0924b6c9ba5759a7cf15d@4.4.4.4 CSeq: 191 REGISTER Authorization: Digest username="account", realm="carrier.tld", algorithm=MD5, uri="sip:sip:8.8.8.8", nonce="1368597329273572", response="097ee5b915cd39c1407c785fb3c06caf" Expires: 1800 Contact: Content-Length: 0 IP 8.8.8.8.sip > 4.4.4.4.sip: UDP, length 373 SIP/2.0 200 OK Via: SIP/2.0/UDP 4.4.4.4:5060;branch=BbBbBbBbBbBbBbB From: ;tag=as333ffab1 To: Call-ID: 3e47b75000b0924b6c9ba5759a7cf15d@4.4.4.4 CSeq: 191 REGISTER Contact: ;q=0;expires=1901 Content-Length: 0 Date: Wed, 15 May 2013 05:55:29 GMT # === -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
