[OpenSIPS-Users] 401 Unauthorized after Authentication Digest

David Peláez dvlux4 at gmail.com
Tue May 30 11:43:58 EDT 2017


Hello everyone.

My name is David, I am new on openisips and I am having some troubles to
place calls from a Sip Phone in Opensips to an Asterisk Server.

The opsnsips server and the asterisk are connected throughout a SIP Trunk.
When I make a call from phone A in Opensips to Phone B in Asterisk
authorization digest is required from Asterisk Server, I can responce with
the credentials but a new 401 Unauthorized message is send back to
Opensips, and then the message is forwarded to phone A.

Please find attached the pcap file from wireshark and the opensips.cfg file.

Any advice about this?

Best regards
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170530/499d881a/attachment-0001.html>
-------------- next part --------------
#
# OpenSIPS residential configuration script
#     by OpenSIPS Solutions <team at opensips-solutions.com>
#
# This script was generated via "make menuconfig", from
#   the "Residential" scenario.
# You can enable / disable more features / functionalities by
#   re-generating the scenario with different options.#
#
# Please refer to the Core CookBook at:
#      http://www.opensips.org/Resources/DocsCookbooks
# for a explanation of possible statements, functions and parameters.
#


####### Global Parameters #########

log_level=4
log_stderror=no
log_facility=LOG_LOCAL0

#fork = yes
children=4

/* uncomment the following lines to enable debugging */
#debug_mode=yes

/* uncomment the next line to enable the auto temporary blacklisting of 
   not available destinations (default disabled) */
#disable_dns_blacklist=no

/* uncomment the next line to enable IPv6 lookup after IPv4 dns 
   lookup failures (default disabled) */
#dns_try_ipv6=yes

/* comment the next line to enable the auto discovery of local aliases
   based on revers DNS on IPs */
#auto_aliases=no
alias=192.168.1.12
###alias=172.16.100.10

listen=udp:192.168.1.12:5060   # CUSTOMIZE ME

listen=tcp:192.168.1.12:5060   # CUSTOMIZE ME 


####### Modules Section ########

#set module path
mpath="/lib64/opensips/modules/"

#### SIGNALING module
loadmodule "signaling.so"

#### StateLess module
loadmodule "sl.so"

#### Transaction Module
loadmodule "tm.so"
modparam("tm", "fr_timeout", 5)
modparam("tm", "fr_inv_timeout", 30)
modparam("tm", "restart_fr_on_each_reply", 0)
modparam("tm", "onreply_avp_mode", 1)

#### Record Route Module
loadmodule "rr.so"
/* do not append from tag to the RR (no need for this script) */
modparam("rr", "append_fromtag", 1)

#### UAC_AUTH
loadmodule "uac_auth.so"
modparam("uac_auth","auth_username_avp","$avp(user)")
modparam("uac_auth","auth_password_avp","$avp(pass)")
modparam("uac_auth","auth_realm_avp","$avp(realm)")

###modparam("uac_auth","credential","2000:172.16.100.10:2000")
### UAC
loadmodule "uac.so"
modparam("uac","restore_mode","auto")
modparam("uac","restore_passwd","my_secret_passwd")
modparam("uac","rr_from_store_param","my_Fparam")
modparam("uac","rr_to_store_param","my_Tparam")
####modparam("uac","force_dialog",yes)
#### MAX ForWarD module
loadmodule "maxfwd.so"

#### SIP MSG OPerationS module
loadmodule "sipmsgops.so"

#### FIFO Management Interface
loadmodule "mi_fifo.so"
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
modparam("mi_fifo", "fifo_mode", 0666)


#### URI module
loadmodule "uri.so"
modparam("uri", "use_uri_table", 0)

  





#### MYSQL module
loadmodule "db_mysql.so"



#### USeR LOCation module
loadmodule "usrloc.so"
modparam("usrloc", "nat_bflag", "NAT")
modparam("usrloc", "db_mode",   2)
modparam("usrloc", "db_url",
	"mysql://root:opensips@localhost/opensips") # CUSTOMIZE ME


#### REGISTRAR module
loadmodule "registrar.so"
modparam("registrar", "tcp_persistent_flag", "TCP_PERSISTENT")

/* uncomment the next line not to allow more than 10 contacts per AOR */
#modparam("registrar", "max_contacts", 10)

#### ACCounting module
loadmodule "acc.so"
/* what special events should be accounted ? */
modparam("acc", "early_media", 0)
modparam("acc", "report_cancels", 0)
/* by default we do not adjust the direct of the sequential requests.
   if you enable this parameter, be sure the enable "append_fromtag"
   in "rr" module */
modparam("acc", "detect_direction", 0)


#### AUTHentication modules
loadmodule "auth.so"
loadmodule "auth_db.so"
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth_db|uri", "db_url",
	"mysql://root:opensips@localhost/opensips") # CUSTOMIZE ME
modparam("auth_db", "load_credentials", "")


#### ALIAS module
loadmodule "alias_db.so"
modparam("alias_db", "db_url",
	"mysql://root:opensips@localhost/opensips") # CUSTOMIZE ME










####  DIALPLAN module
loadmodule "dialplan.so"
modparam("dialplan", "db_url",
	"mysql://root:opensips@localhost/opensips") # CUSTOMIZE ME


####  DYNAMMIC ROUTING module
loadmodule "drouting.so"
modparam("drouting", "db_url",
	"mysql://root:opensips@localhost/opensips") # CUSTOMIZE ME




loadmodule "proto_udp.so"

loadmodule "proto_tcp.so" 


####### Routing Logic ########

# main request routing logic

route{
	$avp(user):="2000";
        $avp(pass):="2000";
        $avp(realm):="asterisk";


	if (!mf_process_maxfwd_header("10")) {
		sl_send_reply("483","Too Many Hops");
		exit;
	}

	if (has_totag()) {
		# sequential request withing a dialog should
		# take the path determined by record-routing
		if (loose_route()) {
			
			if (is_method("BYE")) {
				# do accounting even if the transaction fails
				do_accounting("log","failed");
			} else if (is_method("INVITE")) {
				# even if in most of the cases is useless, do RR for
				# re-INVITEs alos, as some buggy clients do change route set
				# during the dialog.
				record_route();
			}

			

			# route it out to whatever destination was set by loose_route()
			# in $du (destination URI).
			route(relay);
		} else {
			
			if ( is_method("ACK") ) {
				if ( t_check_trans() ) {
					# non loose-route, but stateful ACK; must be an ACK after 
					# a 487 or e.g. 404 from upstream server
					t_relay();
					exit;
				} else {
					# ACK without matching transaction ->
					# ignore and discard
					exit;
				}
			}
			sl_send_reply("404","Not here");
		}
		exit;
	}

	# CANCEL processing
	if (is_method("CANCEL"))
	{
		if (t_check_trans())
			t_relay();
		exit;
	}

	t_check_trans();

	if ( !(is_method("REGISTER")  || is_from_gw() ) ) {
		
		if (from_uri==myself)
		
		{
			
			# authenticate if from local subscriber
			# authenticate all initial non-REGISTER request that pretend to be
			# generated by local subscriber (domain from FROM URI is local)
			if (!proxy_authorize("", "subscriber")) {
				proxy_challenge("", "0");
				exit;
			}
			if (!db_check_from()) {
				sl_send_reply("403","Forbidden auth ID");
				exit;
			}
		
			consume_credentials();
			# caller authenticated
			
		} else {
			# if caller is not local, then called number must be local
			
			if (!uri==myself) {
				send_reply("403","Relay forbidden");
				exit;
			}
		}

	}

	# preloaded route checking
	if (loose_route()) {
		xlog("L_ERR",
		"Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
		if (!is_method("ACK"))
			sl_send_reply("403","Preload Route denied");
		exit;
	}

	# record routing
	if (!is_method("REGISTER|MESSAGE"))
		record_route();

	# account only INVITEs
	if (is_method("INVITE")) {
		
		do_accounting("log");
	}

	
	if (!uri==myself) {
		append_hf("P-hint: outbound\r\n"); 
		
		route(relay);
	}

	# requests for my domain
	
	if (is_method("PUBLISH|SUBSCRIBE"))
	{
		sl_send_reply("503", "Service Unavailable");
		exit;
	}

	if (is_method("REGISTER"))
	{
		# authenticate the REGISTER requests
		if (!www_authorize("", "subscriber"))
		{
			www_challenge("", "0");
			exit;
		}
		
		if (!db_check_to()) 
		{
			sl_send_reply("403","Forbidden auth ID");
			exit;
		}

		if ( proto==TCP ||  0 ) setflag(TCP_PERSISTENT);

		

		if (!save("location"))
			sl_reply_error();

		exit;
	}

	if ($rU==NULL) {
		# request with no Username in RURI
		sl_send_reply("484","Address Incomplete");
		exit;
	}

	#Anything starting with 2 goes to the callserver 2
	
	if ($rU=~"^2") {

		uac_replace_from("sip:2000 at 192.168.1.12");
		uac_replace_to("sip:201 at 172.16.100.10");
		$rd="172.16.100.10";
		#record_route();
		route(relay);
		exit;
	
	}


	#t_on_failure("digest_response");
	#t_relay();

	# apply DB based aliases
	alias_db_lookup("dbaliases");

	
	# apply transformations from dialplan table
	dp_translate("0","$rU/$rU");

	
	if ($rU=~"^\+[1-9][0-9]+$") {
		
		if (!do_routing("0")) {
			send_reply("500","No PSTN Route found");
			exit;
		}
		
		route(relay);
		exit;
	}
	 

	# do lookup with method filtering
	if (!lookup("location","m")) {
		if (!db_does_uri_exist()) {
			send_reply("420","Bad Extension");
			exit;
		}
		
		t_newtran();
		t_reply("404", "Not Found");
		exit;
	} 

	

	# when routing via usrloc, log the missed calls also
	do_accounting("log","missed");
	route(relay);
}


route[relay] {
	# for INVITEs enable some additional helper routes
	if (is_method("INVITE")) {
		
		

		t_on_branch("per_branch_ops");
		t_on_reply("handle_nat");
		t_on_failure("digest_response"); ###Antes ("missed_call")
		record_route(); ###Antes nada aqui
	}

	

	if (!t_relay()) {
		send_reply("500","Internal Error");
	};
	exit;
}




branch_route[per_branch_ops] {
	xlog("new branch at $ru\n");
}


onreply_route[handle_nat] {
	
	xlog("incoming reply\n");
}

failure_route[digest_response] {
	if (t_check_status("(401)|(407)")) {
		uac_auth();
		t_relay();
		record_route();
		#xlog("got challenged \n");
		#if(uac_auth()) {
		#	xlog("auth was succesfull \n");
		#	t_relay();
		exit;
	}

}

failure_route[missed_call] {
	if (t_was_cancelled()) {
		exit;
	}

	# uncomment the following lines if you want to block client 
	# redirect based on 3xx replies.
	##if (t_check_status("3[0-9][0-9]")) {
	##t_reply("404","Not found");
	##	exit;
	##}

	
}



-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.pcapng
Type: application/x-pcapng
Size: 2156912 bytes
Desc: not available
URL: <http://lists.opensips.org/pipermail/users/attachments/20170530/499d881a/attachment-0001.bin>


More information about the Users mailing list