Hello,
as you say it is tls, have you taken the trace on client side or on
server side? Also, to rule it out -- you don't have any sbc in between,
right?
For further troubleshooting, can you add the line:
xlog("Proxy-Authorization header is: $hdr(Proxy-Authorization)\n");
before:
if (!auth_check("$fd", "subscriber", "1")) {
Then set debug=3 and test again. Send the logs for the second processing
of the PUBLISH, the one that has credentials in it.
Cheers,
Daniel
On 28/04/15 10:32, Tomas Zanet wrote:
> Hello, yes you are right there's Authentication header in the REGISTER
> request. I meant realm parameter.
> Anyway, here is the PUBLISH request:
>
> Request-Line: PUBLISH sip:1...@myhome2.xip.bpt.com SIP/2.0
> Via: SIP/2.0/TLS 172.23.254.189:58187;branch=z9hG4bK.58aWk31-b;rport
> From: <sip:1...@myhome2.xip.bpt.com>;tag=cwg1ZGY8e
> To: sip:1...@myhome2.xip.bpt.com
> .......
> Proxy-Authorization: Digest realm="myhome2.xip.bpt.com",
> nonce="VT5iRFU+YRjzMXdoV+ZGLf9J9FU53SfL", username="101",
> uri="sip:1...@myhome2.xip.bpt.com",
> response="8a6c4d3dbac00a4bea2e52f420b1f72c"
>
> And this is the subscriber query:
> mysql> select * from subscriber;
> +----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+
> | id | username | domain | password | email_address | ha1
> | ha1b | rpid |
> +----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+
> | 20 | 100 | myhome2.xip.bpt.com | xxx | | .... | ...
> | NULL |
> | 22 | 101 | myhome2.xip.bpt.com | xxx | | .... | ...
> | NULL |
> | 23 | 102 | myhome2.xip.bpt.com | xxx | | ... | ...
> | NULL |
> | 24 | 103 | myhome2.xip.bpt.com | xxx | | ... | ...
> | NULL |
> | 25 | 120 | myhome2.xip.bpt.com | xxx | | ... | ...
> | NULL |
> | 26 | 104 | myhome2.xip.bpt.com | xxx | | ... | ...
> | NULL |
> | 27 | 105 | myhome2.xip.bpt.com | xxx | | ... | ...
> | NULL |
> | 28 | 106 | myhome2.xip.bpt.com | xxx | | ... | ...
> | NULL |
> | 29 | 107 | myhome2.xip.bpt.com | xxx | | ... | ...
> | NULL |
> | 30 | 108 | myhome2.xip.bpt.com | xxx | | .... | ...
> | NULL |
> | 31 | 109 | myhome2.xip.bpt.com | xxx | | ... | ...
> | NULL |
> | 32 | 110 | myhome2.xip.bpt.com | xxx | | ... | ...
> | NULL |
> | 33 | 121 | myhome2.xip.bpt.com | xxx | | ... | ...
> | NULL |
> | 34 | 130 | myhome2.xip.bpt.com | xxx | | ... | ...
> | NULL |
> +----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+
>
>
> Just for your better understanding, Kamailio is behind NAT (I set adverting
> address in the listen parameter) and SIP UAC as well. Moreover, there are
> sending SIP messages using SIP/TLS.
> Thanks for your help
>
> T.
>
>
>
> Tomas Zanet
> Software Design Department
> tza...@came.com
> CAME S.p.A.
>
>
> Da: Daniel-Constantin Mierla [mailto:mico...@gmail.com]
> Inviato: martedì 28 aprile 2015 09:26
> A: Tomas Zanet; Kamailio (SER) - Users Mailing List
> Oggetto: Re: R: [SR-Users] publish authentication problem
>
> Hello,
>
> REGISTER should have Authorization header.
>
> Can you paste the headers of such PUBLISH?
>
> The log message you pasted in a previous email shows that the realm was not
> matching:
>
> Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]:
> pre_auth(): auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not
> found
>
> Maybe it is different than From header domain.
>
> Cheers,
> Daniel
> On 28/04/15 09:13, Tomas Zanet wrote:
> Hello, yes it is.
> The real parameter in Proxy-Authorization header is the same for PUBLISH and
> REGISTER and INVIATE as well.
> I’m doing authentication in this way:
>
> if (!auth_check("$fd", "subscriber", "1")) {
> auth_challenge("$fd", "0");
> exit;
> }
>
>
> Thanks,
> T.
>
>
> Da: Daniel-Constantin Mierla [mailto:mico...@gmail.com]
> Inviato: lunedì 27 aprile 2015 17:56
> A: Kamailio (SER) - Users Mailing List; Tomas Zanet
> Oggetto: Re: [SR-Users] publish authentication problem
>
> Hello,
>
> can you check what is the value of the realm parameter in Proxy-Authorization
> header of PUBLISH? Is it myhome2.xip.bpt.com?
>
> Cheers,
> Daniel
> On 24/04/15 15:31, Tomas Zanet wrote:
> Hello everyone,
> I’ve been working on a project where I would like to implement RFC6035
> https://tools.ietf.org/html/rfc6035
>
> Basically, after the end of the call, our SIP UAC sends a SIP PUBLISH to
> Kamailio where there are some useful information about media quality (packet
> loss, mos, etc..)
> This information is stored by Kamailio with sql_query command…
>
> To achieve this, I implemented a custom route function inside Kamailio cfg
> file, which handles PUBLISH request, check vq-rtcpxr body and store that
> information into a database.
> Here is a snippet code:
> # AVPF report route
> route[AVPF] {
> if(!is_method("PUBLISH"))
> return;
> if (has_body("application/vq-rtcpxr"))
> {
> $var(x) = "INSERT INTO quality_reporting_raw(body) VALUES (\"" +
> $(rb{s.escape.common}) + "\");";
> sql_query("cb", "$(var(x))");
> …… reply 200 ok and so on….
> exit(0)
> }
> }
>
> Everything works fine (almost fine, because the report is stored twice…) if I
> do the route(AVPF) before authentication, like this…
>
> (main route):
> # handle AVPF reports
> route(AVPF);
>
> # authentication
> route(AUTH);
>
> Instead if I swap these two functions, doing the authentication before
> publish processing, I have some problems about publish authentication….not
> for the other requests (INVITE and REGISTER)
> As far as I know From, To and Request-URI must match the authentication user,
> in the PUBLISH REQUEST as described here
> http://kamailio.org/docs/modules/4.2.x/modules/auth_db.html#auth_db.f.auth_check
>
> I confirm that…I’m sending the SIP PUBLISH from user 101 to user 101, which
> is currently registered.
>
> My problem is that Kamailio is continuously answering with 407 to the SIP
> PUBLISH, even if the PUBLISH request has the right Proxy-Authorization header…
> Digging into the log file, I found this :
> Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db
> [authorize.c:486]: auth_check(): realm [myhome2.xip.bpt.com] table
> [subscriber] flags [1]
> Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]:
> pre_auth(): auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not
> found
> Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db
> [authorize.c:252]: digest_authenticate_hdr(): no credentials
>
> Just for your better understanding I’m doing authorization with db, using
> subscriber table where there are all the users with 'myhome2.xip.bpt.com'
> domain…
> In fact, all INVITEs and REGISTERs are correctly authenticated…
>
> Would you mind address me to find out the problem? Maybe, there’s something
> wrong in my cfg file.
> Thanks in advance
>
> T,
>
>
> --
> Daniel-Constantin Mierla
> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> Kamailio World Conference, May 27-29, 2015
> Berlin, Germany - http://www.kamailioworld.com
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
