<div dir="ltr"><div>Don't forget to deal with CSEQ increment on the authenticated INVITE.</div><div><br></div><div>Also we had problems when any in-dialog message is received, we have to deal with CSEQ on all of them. =(</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 25, 2020 at 12:30 PM johan <<a href="mailto:johan@democon.be">johan@democon.be</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div>
    <p>Jeff, be warned that the datafill for registrar is not obvious. <br>
    </p>
    <div>On 25/09/2020 16:40, Jeff Pyle wrote:<br>
    </div>
    <blockquote type="cite">
      
      <div dir="ltr">
        <div>I am not route-advancing in a typical way, so my
          application of credentials is a bit different perhaps.</div>
        <div><br>
        </div>
        <div>The environment I'm in has a variety of customer-facing
          platforms, over a dozen at last count.  Some are for trunking,
          some hosted, some hybrid.  The platform I'm writing on
          OpenSIPS is a testing one that will allow us to send and
          receive test calls to and from all of them.  So, rather than
          having a bunch of registrations on every test phone for every
          person who might want to test, this allows each person to have
          one appearance to this platform and select which upstream
          platform they want to send a call to via dialed prefixes.  </div>
        <div><br>
        </div>
        <div>I use the uac_registrant module, and its registrant table,
          to handle the platforms that require registrations and it
          works excellently.  At call time, I'm working on the scripting
          right now that will query the registrant table for the
          appropriate credentials based on where we've sent the call and
          apply them in the failure_route upon receiving a 401 or 407.</div>
        <div><br>
        </div>
        <div>Think of it this way:  when you configure a gateway in
          FreeSWITCH or a SIP peer in Asterisk's chan_sip, do you need
          to define the realm ahead of time?  No, you don't care; it's
          just a mechanism under the hood that's necessary to complete
          the transaction.  That's where I'm at in OpenSIPS.  With
          Johan's parsing it looks like I'm about there, too.  Friggin'
          regex gets me every time.</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>- Jeff</div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Fri, Sep 25, 2020 at 10:25
          AM Ben Newlin <<a href="mailto:Ben.Newlin@genesys.com" target="_blank">Ben.Newlin@genesys.com</a>> wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div lang="EN-US">
            <div>
              <p class="MsoNormal">I think you do need to have
                credentials associated with the different routes you
                have and load those properly. From your description,
                however, I don’t understand why it is dependent on
                identifying the realm in the response. If multiple
                downstream servers are all using the same realm (but
                have different credentials?) then how are you
                differentiating based on the realm value?</p>
              <p class="MsoNormal"> </p>
              <p class="MsoNormal">The idea with uac_auth is that when
                you send, for example, to server broadworks1 you would
                load all the possible valid credentials for broadworks1,
                including the realm it will challenge with. When you
                then call uac_auth() from failure route, it will look
                through all the loaded credentials for one with a
                matching realm to the broadworks1 challenge and use
                that. If the call fails for any reason to broadworks1
                and then you decide to route to server asterisk1, you
                would load all the possible credentials for that server
                into the auth AVPs the same way and failure route
                handling is the same.</p>
              <p class="MsoNormal"> </p>
              <p class="MsoNormal">You could very well have a use case
                for verifying the realm in failure_route; I’m not saying
                you don’t. I don’t see it from what you’ve described,
                but I may be missing something. I think the reason there
                is no variable for pulling the challenge realm value
                directly is because normally with this mechanism it
                shouldn’t be needed.</p>
              <p class="MsoNormal"> </p>
              <p class="MsoNormal">I would appreciate if someone could
                confirm that uac_auth() will match the realm as I’m
                asserting. I’m 95% sure this is how it worked in my
                testing, but that was a while ago and as I said the
                realm matching doesn’t appear to be documented. I’d hate
                to be steering you down a wrong path.</p>
              <p class="MsoNormal"> </p>
              <p class="MsoNormal"><span style="color:black">Ben Newlin
                </span></p>
              <p class="MsoNormal"> </p>
              <div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(181,196,223);padding:3pt 0in 0in">
                <p class="MsoNormal" style="margin-bottom:12pt"><b><span style="font-size:12pt;color:black">From:
                    </span></b><span style="font-size:12pt;color:black">Users
                    <<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>><br>
                    <b>Date: </b>Friday, September 25, 2020 at 10:15 AM<br>
                    <b>To: </b>OpenSIPS users mailling list <<a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a>><br>
                    <b>Subject: </b>Re: [OpenSIPS-Users] learning the
                    realm from authentication challenges</span></p>
              </div>
              <div>
                <p class="MsoNormal">Johan, </p>
                <div>
                  <p class="MsoNormal">  I will definitely try that. 
                    Thank you!</p>
                  <div>
                    <div>
                      <p class="MsoNormal"> </p>
                    </div>
                    <div>
                      <p class="MsoNormal">Ben, </p>
                    </div>
                    <div>
                      <p class="MsoNormal">  The problem is I have
                        multiple destinations with the same realm.  In
                        my case, several different Broadworks app
                        servers.  I haven't checked them exhaustively
                        but I think they all reply with
                        realm="BroadWorks" in their authentication
                        headers.  I've got some Asterisk boxes in here,
                        and I think they're all the domain of the SIP
                        request URI in the case of an INVITE.  I think
                        I'll have to choose ahead of time which
                        credentials go with which route, no?  Unless I'm
                        still not wrapping my head around how this is
                        supposed to work.</p>
                    </div>
                    <div>
                      <p class="MsoNormal"> </p>
                    </div>
                    <div>
                      <p class="MsoNormal"> </p>
                    </div>
                    <div>
                      <p class="MsoNormal">- Jeff</p>
                    </div>
                    <div>
                      <p class="MsoNormal"> </p>
                    </div>
                    <div>
                      <p class="MsoNormal"> </p>
                    </div>
                    <div>
                      <p class="MsoNormal"> </p>
                    </div>
                  </div>
                </div>
              </div>
              <p class="MsoNormal"> </p>
              <div>
                <div>
                  <p class="MsoNormal">On Fri, Sep 25, 2020 at 9:22 AM
                    Ben Newlin <<a href="mailto:Ben.Newlin@genesys.com" target="_blank">Ben.Newlin@genesys.com</a>>
                    wrote:</p>
                </div>
                <blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt solid rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
                  <div>
                    <div>
                      <p class="MsoNormal">Jeff,</p>
                      <p class="MsoNormal"> </p>
                      <p class="MsoNormal">My point was that the
                        uac_auth() is supposed to handle the realm
                        matching for you. If you simply load all of the
                        auth data based on the call target as you
                        already plan to do, uac_auth() should look
                        through that data for you to find credentials
                        with a matching realm. You don’t need to do that
                        part yourself in the script.</p>
                      <p class="MsoNormal"> </p>
                      <p class="MsoNormal"><span style="color:black">Ben
                          Newlin
                        </span></p>
                      <p class="MsoNormal"> </p>
                      <div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(181,196,223);padding:3pt 0in 0in">
                        <p class="MsoNormal" style="margin-bottom:12pt"><b><span style="font-size:12pt;color:black">From:
                            </span></b><span style="font-size:12pt;color:black">Users
                            <<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>><br>
                            <b>Date: </b>Thursday, September 24, 2020
                            at 11:14 PM<br>
                            <b>To: </b>OpenSIPS users mailling list
                            <<a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a>><br>
                            <b>Subject: </b>Re: [OpenSIPS-Users]
                            learning the realm from authentication
                            challenges</span></p>
                      </div>
                      <div>
                        <p class="MsoNormal">Good catch on
                          Proxy-Authorization vs Proxy-Authenticate.  I
                          think I've been looking at this too long.  I
                          checked the module and that's exactly what it
                          is.</p>
                        <div>
                          <p class="MsoNormal"> </p>
                        </div>
                        <div>
                          <p class="MsoNormal">My hope was to load the
                            uac_auth user/pass AVPs ahead of time from a
                            DB based on where I knew I was sending the
                            call, load the realm one in the failure
                            route based on what comes back in the
                            header, and then fire the uac_auth()
                            function.  It looks like I may have to
                            manually extract the realm from whichever
                            header comes in.  Not ideal, but probably
                            workable.</p>
                        </div>
                        <div>
                          <p class="MsoNormal"> </p>
                        </div>
                        <div>
                          <p class="MsoNormal"> </p>
                        </div>
                        <div>
                          <p class="MsoNormal">- Jeff</p>
                        </div>
                        <div>
                          <p class="MsoNormal"> </p>
                        </div>
                      </div>
                      <p class="MsoNormal"> </p>
                      <div>
                        <div>
                          <p class="MsoNormal">On Thu, Sep 24, 2020 at
                            9:58 PM Ben Newlin <<a href="mailto:Ben.Newlin@genesys.com" target="_blank">Ben.Newlin@genesys.com</a>>
                            wrote:</p>
                        </div>
                        <blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt solid rgb(204,204,204);padding:0in 0in 0in 6pt;margin:5pt 0in 5pt 4.8pt">
                          <div>
                            <div>
                              <p class="MsoNormal">This does not appear
                                to be documented, but I believe
                                uac_auth() looks through the AVPs
                                configured in the UAC_AUTH module and
                                uses the first one whose realm matches
                                the challenge realm. So in order to
                                authenticate any challenge, you must
                                load all of the possible credentials
                                into those AVPs.</p>
                              <p class="MsoNormal"> </p>
                              <p class="MsoNormal"><span style="color:black">Ben Newlin
                                </span></p>
                              <p class="MsoNormal"> </p>
                              <div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(181,196,223);padding:3pt 0in 0in">
                                <p class="MsoNormal" style="margin-bottom:12pt"><b><span style="font-size:12pt;color:black">From:
                                    </span></b><span style="font-size:12pt;color:black">Users
                                    <<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>><br>
                                    <b>Date: </b>Thursday, September
                                    24, 2020 at 9:53 PM<br>
                                    <b>To: </b>OpenSIPS users mailling
                                    list <<a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a>><br>
                                    <b>Subject: </b>Re:
                                    [OpenSIPS-Users] learning the realm
                                    from authentication challenges</span></p>
                              </div>
                              <p class="MsoNormal">According to the
                                docs, $ar provides the realm from the
                                “Authorization” or “Proxy-Authorization”
                                headers. Not from the
                                ”Proxy-Authenticate” header, which is
                                what you have.</p>
                              <p class="MsoNormal"> </p>
                              <p class="MsoNormal"><a href="https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6" target="_blank">https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6</a></p>
                              <p class="MsoNormal"> </p>
                              <p class="MsoNormal"><span style="color:black">Ben Newlin
                                </span></p>
                              <p class="MsoNormal"> </p>
                              <div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(181,196,223);padding:3pt 0in 0in">
                                <p class="MsoNormal" style="margin-bottom:12pt"><b><span style="font-size:12pt;color:black">From:
                                    </span></b><span style="font-size:12pt;color:black">Users
                                    <<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>><br>
                                    <b>Date: </b>Thursday, September
                                    24, 2020 at 9:31 PM<br>
                                    <b>To: </b>OpenSIPS users mailling
                                    list <<a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a>><br>
                                    <b>Subject: </b>[OpenSIPS-Users]
                                    learning the realm from
                                    authentication challenges</span></p>
                              </div>
                              <div>
                                <p class="MsoNormal">I'm trying to
                                  recover the realm of an auth challenge
                                  to OpenSIPS so I can respond to it
                                  with the uac_auth() function, and that
                                  requires knowing the realm.  The docs
                                  say that
                                  <a href="https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6" target="_blank">
                                    $ar</a> should provide that, perhaps
                                  written like $(<reply>ar) to get
                                  it in the right context.  I'm having
                                  some trouble getting the data.<br>
                                  <br>
                                  <span>failure_route[relay_failure]
                                    {<br>
                                    ...</span></p>
                                <div>
                                  <p class="MsoNormal"><span>        if
                                      (t_check_status("407")) {<br>
                                                      xlog("L_NOTICE",
                                      "[1] Proxy-Authenticate:
                                      $(<reply>hdr(Proxy-Authenticate))\n");<br>
                                                      xlog("L_NOTICE",
                                      "[2] Auth Realm:
                                      $(<reply>ar)\n");</span></p>
                                </div>
                                <div>
                                  <p class="MsoNormal"><span>               
                                      xlog("L_NOTICE", "[3] Auth Realm:
                                      $ar\n");<br>
                                              }</span></p>
                                </div>
                                <div>
                                  <p class="MsoNormal"><span>...</span></p>
                                </div>
                                <div>
                                  <p class="MsoNormal"><span>}</span></p>
                                </div>
                                <div>
                                  <p class="MsoNormal"> </p>
                                </div>
                                <div>
                                  <p class="MsoNormal">The logs show:<br>
                                    <br>
                                    <span>/usr/sbin/opensips[33044]:
                                      [1] Proxy-Authenticate: Digest
                                      realm="asterisk",
                                      nonce="5f6d42140000936ad820dbcd452e6bcd145777e458dd46dd",
                                      qop="auth"<br>
                                      /usr/sbin/opensips[33044]: [2]
                                      Auth Realm reply: <null><br>
                                      /usr/sbin/opensips[33044]: [3]
                                      Auth Realm: <null></span></p>
                                </div>
                                <div>
                                  <p class="MsoNormal"> </p>
                                </div>
                                <div>
                                  <p class="MsoNormal">Is it possible to
                                    get the realm?  Is it possible to
                                    build a response with uac_auth() for
                                    an arbitrary authentication
                                    challenge?</p>
                                </div>
                                <div>
                                  <p class="MsoNormal"> </p>
                                </div>
                                <div>
                                  <p class="MsoNormal">This is
                                    on 3.1.0~20200923~88f89e941.</p>
                                </div>
                                <div>
                                  <p class="MsoNormal"> </p>
                                </div>
                                <div>
                                  <p class="MsoNormal"> </p>
                                </div>
                                <div>
                                  <p class="MsoNormal"> </p>
                                </div>
                                <div>
                                  <p class="MsoNormal">- Jeff</p>
                                </div>
                                <div>
                                  <p class="MsoNormal"> </p>
                                </div>
                              </div>
                            </div>
                          </div>
                          <p class="MsoNormal">_______________________________________________<br>
                            Users mailing list<br>
                            <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
                            <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
                        </blockquote>
                      </div>
                    </div>
                  </div>
                  <p class="MsoNormal">_______________________________________________<br>
                    Users mailing list<br>
                    <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
                    <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
                </blockquote>
              </div>
            </div>
          </div>
          _______________________________________________<br>
          Users mailing list<br>
          <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
          <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
        </blockquote>
      </div>
      <br>
      <fieldset></fieldset>
      <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
    </blockquote>
  </div>

_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div>