[OpenSIPS-Users] Cannot get registration to work with v3.2.8??
Bob Atkins
bob at digilink.net
Thu Sep 8 09:47:06 UTC 2022
Iancu,
I understand your thought process. I certainly understand that However,
same device, exactly the same credentials and it authenticates properly
against 2 other systems. They can't both be wrong and OpenSIPS be correct.
For reference this is what I have installed:
version: opensips 3.2.8 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC,
Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
main.c compiled on 17:05:59 Aug 17 2022 with gcc 4.8.5
I tried the tool you suggested. Since the device is returning
nc=00000001,cnonce="30a17663" which is more than the python script uses
so I can't get a correct calculation anyway.
This is one example that failed
Authorization: Digest
username="3105738133",realm="digilink.net",nonce="7VOIeF33AVFqNTDVkY+VlYspMPlW/ZD7OJWumYkh0L8A",uri="sip:sip.rs.digidial.net",algorithm=MD5,response="d4922aa870ad36ec61f1b5da0cf6be04",qop=auth,nc=00000001,cnonce="30a17663"
I found a more comprehensive tool and got the correct result from the
above digest (password redacted from the image below):
So, this begs the question - why is OpenSIPS getting it wrong?
---
Bob
There may be some other
On 9/8/2022 1:43 AM, Bogdan-Andrei Iancu wrote:
> I'm quite sure OpenSIPS is computing the auth correctly, after all you
> are the only one complaining on this. And the point is to identify
> which side is not doing the proper computing and eventually see why -
> it may be a setting, a typo, etc...
>
> Just my 2 cents on the matter.
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
> https://www.opensips-solutions.com
> OpenSIPS Summit 27-30 Sept 2022, Athens
> https://www.opensips.org/events/Summit-2022Athens/
> On 9/8/22 10:29 AM, Bob Atkins wrote:
>> Iancu,
>>
>> I'm not sure what the point of this would be. Even if it showed that
>> OpenSIPS was calculating incorrectly - then what?
>>
>> The device registers just fine with both asterisk and OpenSER v1.1
>> with exactly the same parameters.
>>
>> The device is calculating the response correctly for 2 other systems.
>>
>> OpenSIPS is clearly getting it wrong. The question is why? Or even
>> how. This is a pretty basic calculation.
>>
>> ---
>> Bob
>>
>>
>>
>> On 9/7/2022 11:16 PM, Bogdan-Andrei Iancu wrote:
>>> Hi Bob,
>>>
>>>
>>> Use the below to double check which party is failing in computing
>>> the right auth response.
>>>
>>> https://openplatform.xyz/sip_register_digest_authentication.html
>>>
>>>
>>> Regards,
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>> https://www.opensips-solutions.com
>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>> https://www.opensips.org/events/Summit-2022Athens/
>>> On 9/7/22 10:46 PM, Bob Atkins wrote:
>>>> Iancu,
>>>>
>>>> Thank you!! You identified the problem. Turns out that I had failed
>>>> to add the IP for the OpenSIPS proxy to a firewall that was
>>>> blocking the response from this new sip server (facepalm) to the
>>>> device :-(
>>>>
>>>> So, once I fixed the firewall I thought that would be it... Not my
>>>> luck.
>>>>
>>>> Now it is challenging and /_*rejecting!*_/ The HA1 is failing to
>>>> compare! But the passwords are correct! Now I am really mystified.
>>>>
>>>> I created identical DB entries for this unit in both the original
>>>> OpenSER system and the OpenSIPS system.
>>>>
>>>> Registration to the OpenSER system works perfectly - HA1 validates.
>>>> When I change the sip server to the new system, to OpenSIPS system
>>>> fails due to mismatched HA1. Whaaa.... ?!?!
>>>>
>>>> Mismatched HA1 would imply a password failure but I have
>>>> absolutely, positively verified the passwords in both database
>>>> entries and the /_*only*_/ thing I change on the device is the sip
>>>> server. It should just register on the new system. I have attached
>>>> packet capture of the transaction between the device and teh
>>>> OpenSIPSs system.
>>>>
>>>> I have absolutely, positively copied and pasted (no trailing nl or
>>>> spaces) and verified that the passwords are the same in both
>>>> databases and also the same on the device.
>>>>
>>>> OpenSER DB subscriber entery
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> phplib_id username domain password first_name last_name phone
>>>> email_address datetime_created datetime_modified confirmation
>>>> flag sendnotification greeting ha1 ha1b allow_find timezone
>>>> rpid domn uuid customerID customerName
>>>> 3105738133 3105738133 digilink.net XXXXXXXX PPC Home Fax
>>>> 3105738133
>>>> 7/5/2012 16:36 11/7/2021 13:58
>>>> o
>>>>
>>>>
>>>>
>>>> 0 \N \N \N \N 72 DigiLink Internet Services
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> OpenSIPS DB subscriber entry
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> id username domain password cr_preferred_carrier first_name
>>>> last_name phone email_address datetime_created
>>>> datetime_modified confirmation flag sendnotification greeting
>>>> allow_find timezone customerID customerName ha1 ha1_sha256
>>>> ha1_sha512t256 rpid
>>>> 1 3105738133 digidial XXXXXXXX \N PPC Home Fax 3105738133
>>>> bob at planeparts.com 7/5/2012 16:36 11/7/2021 13:58
>>>> 0
>>>>
>>>>
>>>>
>>>> 72 DigiLink Internet Services \N
>>>>
>>>>
>>>>
>>>> Registration code:
>>>>
>>>> OpenSER system:
>>>>
>>>> modparam("auth_db", "calculate_ha1", yes)
>>>> modparam("auth_db", "password_column", "password")
>>>>
>>>> if (method=="REGISTER") {
>>>> #xlog("L_INFO","[$rm][$ft][$tt] Processing registration");
>>>>
>>>> if (!www_authorize("digilink.net", "subscriber")) {
>>>> #xlog("L_INFO","[$rm][$ft][$tt] Challenging peer");
>>>> www_challenge("digilink.net", "0");
>>>> exit;
>>>> };
>>>>
>>>> xlog("L_INFO","[$rm][$ft][$tt] Registered $fu
>>>> from $si");
>>>> save("location");
>>>> exit;
>>>> };
>>>>
>>>> ==============
>>>> OpenSIPS system
>>>>
>>>> #### AUTH Db module
>>>> loadmodule "auth.so"
>>>> loadmodule "auth_db.so"
>>>> modparam("auth_db", "calculate_ha1", 1)
>>>> modparam("auth_db", "use_domain", 1)
>>>> modparam("auth_db", "user_column", "username")
>>>> modparam("auth_db", "password_column", "password")
>>>> modparam("auth_db", "load_credentials", "")
>>>>
>>>>
>>>> if (is_method("REGISTER")) {
>>>> xlog("L_INFO", "REGISTER: [$tu] request from [$si]");
>>>> xlog("L_INFO","[$ft][$au]@[$ad] - Processing
>>>> registration");
>>>> xlog("L_INFO", "REGISTER: www_authorize returned
>>>> [$var(x)] to authenticate with [$rU]$ru credential");
>>>>
>>>> if (!www_authorize("digilink.net", "subscriber")) {
>>>> xlog("L_INFO","CHALLENGE: [$ft][$tt]");
>>>> www_challenge("digilink.net","auth","MD5");
>>>> exit;
>>>> } else {
>>>> xlog("L_ALERT", "REGISTER: URI [$tu][$rU]$ru
>>>> credential from [$si] - FAILED!");
>>>> sl_send_reply(403, "Not Authorized!");
>>>> exit;
>>>> }
>>>>
>>>> xlog("L_INFO", "REGISTER: URI [$tu] - [$rm][$ft][$tt]
>>>> Registered $fu from $si");
>>>> save("location");
>>>> exit;
>>>> }
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220908/774f5f8c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TQiJZQYZqugAeyjy.png
Type: image/png
Size: 41807 bytes
Desc: not available
URL: <http://lists.opensips.org/pipermail/users/attachments/20220908/774f5f8c/attachment-0001.png>
More information about the Users
mailing list