Removes all of them. See:
http://www.opensips.org/html/docs/modules/1.4.x/textops.html#id271734
Regards,
Bogdan
Robert Borz wrote:
> Hi,
>
> so remove_hf("Proxy-Authorization") removes any Proxy-Authorization headers
> or just the first?
>
> What will happen if there are more than one proy auth. Header fields, will
> all of them be removed? This would be a solution... but I don't want to close
> our Sip proxy and only let outgoing and incoming sip calls of our domain go
> through.
>
> Hmm, I tried to add an radius_proxy_authorize() before the
> consume_credentials(), but as you said, I can't challenge ACKs and BYEs.
>
> Hmm....
>
>
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> Sent: Thursday, January 22, 2009 1:22 PM
> To: Robert Borz
> Cc: [email protected]
> Subject: Re: [OpenSIPS-Users] Contents of ACK in up-to-date RFC 3261
>
> Hi Robert,
>
> I did read your email (even sent a reply ;))
>
> consume_credentials() function removes only credentials that were
> checked for authentication, so, in order to make it work, you have to
> previously do authentication. The function works in this way because a
> requests may contain credentials for multiple SIP proxies (chained
> authentication), so a proxy must be careful and remove only credentials
> targeting itself.
>
> So, what you you could do is to check if the ACK has the "Proxy-Auth"
> headers (with is_present_hf) and if so, use remove_hf() function to
> strip it out without any check.
>
> Regards,
> Bogdan
>
> Robert Borz wrote:
>
>> Hi Bogdan,
>>
>> thanks a lot for your response!
>>
>> So... you're exactly saying where I run into. ;)
>> Did you read my last mails with the subject "consume_credentials doesn't
>> work with auth_radius module"?
>>
>> Maybe you can help me just by telling me what's the way people do in
>> production.
>>
>> So... concerning my current configuration, I think I have the clue right
>> now, what the problem is.
>>
>> If an unauthorized INVITE comes in, my SER does radius_proxy_authorize() -
>> no problem here. But, to the 200 OK (Call answered), the ACK of my client
>> also contains the proxy authorization credentials, which is loose-routed.
>> And now, the is_present_hf("Proxy-Authorization") function returns true
>> (which is correct if the UAC includes the credentials in the ACK), but
>> consume_credentials() returns an error, because it doesn't know that it has
>> verified (and marked) the credentials before.
>>
>> How to proceed in this case....
>>
>> -----Original Message-----
>> From: [email protected] [mailto:[email protected]]
>> Sent: Thursday, January 22, 2009 8:41 AM
>> To: Robert Borz
>> Cc: [email protected]
>> Subject: Re: [OpenSIPS-Users] Contents of ACK in up-to-date RFC 3261
>>
>> Hi Robert,
>>
>> Robert Borz wrote:
>>
>>
>>> Just had a look at RFC 3261... 269 pages... well, looks for a hard work for
>>> one day... but it isn't written to understand and answer my dumb questions
>>> within one or two hours. ;)
>>>
>>>
>>>
>> indeed, the RFC3261 is like a novel :).....
>>
>>
>>> So, just want to know which contents in an ACK message are allowed in which
>>> case...
>>>
>>> Especially, I'm interested in which contents in an ACK are allowed in a
>>> response to a 200 OK (after INVITE)... is the Proxy-Authorization header
>>> field allowed in an ACK as response to a 200 OK of an INVITE?
>>>
>>>
>>>
>> yes, it is optional - see the RFC3261, section 20.1 , page 163 - Table 3
>>
>>
>>> Maybe someone read my previous two mails, I'm a little confused right
>>> now...
>>>
>>> I detected different behaviour between different UACs, which is nothing
>>> unusual for me (I'm just a developer, too).
>>>
>>> X-Lite for example includes the digest-credentials in an ACK packet in the
>>> Proxy-Authorization header field, whereas the snom-softphone does not.
>>> The Ekige softphone for windows also includes the Proxy-Authorization
>>> header field.
>>>
>>> So, which behaviour is standard? It would be great to get any help from
>>> you... just to spare the time reading the whole RFC... :-(
>>>
>>>
>>>
>> well, all are correct, as the header presence in the ACK request is
>> optional....
>>
>> My understanding on the RFC (on the auth matter) is that if the INVITE
>> has an "Proxy-Authorization" headers, the ACK should also contain
>> one...but it is not a must, it is a recommendation. The idea is, if the
>> proxy asked for auth for INVITE, it might ask for the ACK also....but as
>> you cannot challenge the ACK, the client should pre-fill the auth in ACK.
>>
>> Regards,
>> Bogdan
>>
>>
>>> <lying>But, I don’t mind reading it...</lying> ;-P
>>>
>>>
>>> Robert.
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> [email protected]
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>>
>>
>>
>>
>
>
>
>
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
