<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <font face="monospace">Hi,<br>
      <br>
      Some more info on this: the challenge function allows you to
      specify a list of algorithms, not only one, so you can try "MD5,</font><font
      face="monospace"><span class="quote"><span class="quote">SHA-256"
          -> this will allow the client to pick the one it supports.<br>
          <br>
          But in order to have this multi-algs working, be sure you do
          NOT set the "</span></span></font><font face="monospace"><span
        class="quote"><span class="quote"><span lang="EN-US">password_column"
            modparam (as the module will auto-detect witch column to
            use, depending on the alg). Just keep the calculate_ha1 to
            0.<br>
            <br>
            Regards,<br>
          </span></span></span></font>
    <pre class="moz-signature" cols="72">Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  <a class="moz-txt-link-freetext" href="https://www.opensips-solutions.com">https://www.opensips-solutions.com</a>
OpenSIPS Summit 27-30 Sept 2022, Athens
  <a class="moz-txt-link-freetext" href="https://www.opensips.org/events/Summit-2022Athens/">https://www.opensips.org/events/Summit-2022Athens/</a></pre>
    <div class="moz-cite-prefix">On 9/15/22 10:56 AM, jacky z wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAOB03DsEQe1D__xk9_B11OGajQ_dwQ9eWQx+=88_zhuW2H8WbQ@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">Correction on my comments. It is a client side
        issue. Thank you!</div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Thu, Sep 15, 2022 at 3:40
          PM jacky z <<a href="mailto:zjack0992@gmail.com"
            moz-do-not-send="true">zjack0992@gmail.com</a>> wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px
          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div dir="ltr">
            <div dir="ltr">
              <div dir="ltr">After checking the log in the client side,
                here are some interesting findings:
                <div><br>
                </div>
                <div>Here is the what the client side received:</div>
                <div><br>
                </div>
                <div>WWW-Authenticate: Digest realm="<a
                    href="http://sip.domain.com" target="_blank"
                    moz-do-not-send="true">sip.domain.com</a>",
                  nonce="3mKlesEwotxnM5nLMMLgQA63E6VTKsTFpEkK7OkoE4QA",
                  qop="auth,auth-int", algorithm=SHA-256<br>
                </div>
                <div><br>
                </div>
                <div>Then the client side logs show:</div>
                <div><br>
                </div>
                <div>
                  <div>15:25:51.858       ...Unsupported digest
                    algorithm "SHA-256"</div>
                  <div>15:25:51.859      ....SIP registration error:
                    Invalid/unsupported digest algorithm</div>
                </div>
                <div><br>
                </div>
                <div>Firstly, if the server side did not include SHA-256
                  in the SIP message, there would be no such issue. I
                  don't understand why it needs to inform the client
                  side "SHA-256". Secondly, if the client side just
                  simply ignored "SHA-256", there would be no such
                  issue. However, the client side treated it as not
                  supported.</div>
              </div>
            </div>
          </div>
          <br>
          <div class="gmail_quote">
            <div dir="ltr" class="gmail_attr">On Thu, Sep 15, 2022 at
              3:16 PM jacky z <<a href="mailto:zjack0992@gmail.com"
                target="_blank" moz-do-not-send="true">zjack0992@gmail.com</a>>
              wrote:<br>
            </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">
                <div dir="ltr">
                  <div dir="ltr">Hi Bogdan-Andrei,
                    <div><br>
                    </div>
                    <div>I tried either specifying it or not. Neither
                      worked. Here is the script when I tried:</div>
                    <div><br>
                    </div>
                    <div>www_challenge("","auth,auth-int","SHA-256");<br>
                    </div>
                    <div><br>
                    </div>
                    <div>I also tried specifying the realm in the above
                      code. When the above is used, there is no such
                      error, but always returns 401. I checked the
                      column ha1_sha256 and the hash of the password is
                      correct.</div>
                    <div><br>
                    </div>
                    <div>Thanks!</div>
                  </div>
                </div>
              </div>
              <br>
              <div class="gmail_quote">
                <div dir="ltr" class="gmail_attr">On Thu, Sep 15, 2022
                  at 2:07 PM Bogdan-Andrei Iancu <<a
                    href="mailto:bogdan@opensips.org" target="_blank"
                    moz-do-not-send="true">bogdan@opensips.org</a>>
                  wrote:<br>
                </div>
                <blockquote class="gmail_quote" style="margin:0px 0px
                  0px 0.8ex;border-left:1px solid
                  rgb(204,204,204);padding-left:1ex">
                  <div> <font face="monospace">Hi,<br>
                      <br>
                      In your opensips.cfg, when doing auth challenge to
                      the end points, do you specify the SHA256 alg?<br>
                      <br>
                      <a
href="https://opensips.org/html/docs/modules/3.2.x/auth.html#func_www_challenge"
                        target="_blank" moz-do-not-send="true">https://opensips.org/html/docs/modules/3.2.x/auth.html#func_www_challenge</a><br>
                      <br>
                      Regards,<br>
                    </font>
                    <pre cols="72">Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  <a href="https://www.opensips-solutions.com" target="_blank" moz-do-not-send="true">https://www.opensips-solutions.com</a>
OpenSIPS Summit 27-30 Sept 2022, Athens
  <a href="https://www.opensips.org/events/Summit-2022Athens/" target="_blank" moz-do-not-send="true">https://www.opensips.org/events/Summit-2022Athens/</a></pre>
                    <div>On 9/15/22 7:18 AM, jacky z wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <div dir="ltr">
                        <div dir="ltr">
                          <div dir="ltr">
                            <div dir="ltr">
                              <div dir="ltr">Hi Team,<br>
                                <div><br>
                                </div>
                                <div><font size="1" face="arial,
                                    sans-serif">Does <span
                                      style="background-color:rgb(255,255,255)">ha1_sha256</span> work
                                    in general opensips config settings?
                                    I have the following in the scripts:</font></div>
                                <div><font size="1" face="arial,
                                    sans-serif"><br>
                                  </font></div>
                                <div>
                                  <p class="MsoNormal"><span
                                      lang="EN-US">modparam("auth_db",
                                      "calculate_ha1", 0)</span></p>
                                  <p class="MsoNormal"><span
                                      lang="EN-US">modparam("auth_db",
                                      "password_column", "<span>ha1_sha256</span>")</span></p>
                                  <p class="MsoNormal"><span
                                      lang="EN-US"><br>
                                    </span></p>
                                  <p class="MsoNormal"><span
                                      lang="EN-US">but got the following
                                      error in the log:</span></p>
                                  <p class="MsoNormal"><span
                                      lang="EN-US"><br>
                                    </span></p>
                                  <p class="MsoNormal"><span
                                      lang="EN-US">/usr/sbin/opensips[28261]:
                                      ERROR:auth:auth_calc_HA1:
                                      Incorrect length of pre-hashed
                                      credentials for the algorithm
                                      "MD5": 32 expected, 64 provided<br>
                                    </span></p>
                                  <p class="MsoNormal"><span
                                      lang="EN-US"><br>
                                    </span></p>
                                  <p class="MsoNormal"><span
                                      lang="EN-US">It seems though the
                                      sha256 was specified, but the
                                      server still calculated MD5 and
                                      compared with the database column </span>ha1_sha256.</p>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                      <br>
                      <div class="gmail_quote">
                        <div dir="ltr" class="gmail_attr">On Tue, Aug 9,
                          2022 at 5:39 PM Bogdan-Andrei Iancu <<a
                            href="mailto:bogdan@opensips.org"
                            target="_blank" moz-do-not-send="true">bogdan@opensips.org</a>>
                          wrote:<br>
                        </div>
                        <blockquote class="gmail_quote"
                          style="margin:0px 0px 0px
                          0.8ex;border-left:1px solid
                          rgb(204,204,204);padding-left:1ex">
                          <div> <font face="monospace">Hi Bela,<br>
                              <br>
                              The OCP does not support ha1_sha256 AFAIK.
                              Consider opening a feature request here <a
href="https://github.com/OpenSIPS/opensips-cp/issues" target="_blank"
                                moz-do-not-send="true">https://github.com/OpenSIPS/opensips-cp/issues</a><br>
                              <br>
                              Regards,<br>
                            </font>
                            <pre cols="72">Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  <a href="https://www.opensips-solutions.com" target="_blank" moz-do-not-send="true">https://www.opensips-solutions.com</a>
OpenSIPS Summit 27-30 Sept 2022, Athens
  <a href="https://www.opensips.org/events/Summit-2022Athens/" target="_blank" moz-do-not-send="true">https://www.opensips.org/events/Summit-2022Athens/</a></pre>
                            <div>On 6/29/22 9:10 AM, Bela H wrote:<br>
                            </div>
                            <blockquote type="cite">
                              <div>
                                <p class="MsoNormal"><span lang="EN-US">Hi
                                    all,</span></p>
                                <p class="MsoNormal"><span lang="EN-US"> </span></p>
                                <p class="MsoNormal"><span lang="EN-US">Is
                                    there any way to add new subscriber
                                    from OpenSIPS CP 9.3.2 using
                                    password mode ha1_sha256?</span></p>
                                <p class="MsoNormal"><span lang="EN-US">The
                                    ha1 (</span>MD5(username:realm:password)<span
                                    lang="EN-US">) works fine but I had
                                    no luck with the value generation
                                    for the ha1_sha256 field in
                                    “subscriber” table. </span></p>
                                <p class="MsoNormal"><span lang="EN-US"> </span></p>
                                <p class="MsoNormal"><span lang="EN-US">I
                                    have this setting:</span></p>
                                <p class="MsoNormal"><span lang="EN-US">modparam("auth_db",
                                    "calculate_ha1", 0)</span></p>
                                <p class="MsoNormal"><span lang="EN-US">modparam("auth_db",
                                    "password_column", "ha1_sha256")</span></p>
                                <p class="MsoNormal"><span lang="EN-US"> </span></p>
                                <p class="MsoNormal"><span lang="EN-US">Thanks!</span></p>
                                <p class="MsoNormal"><span lang="EN-US">Bela</span></p>
                                <p class="MsoNormal"><span lang="EN-US"> </span></p>
                                <br>
                              </div>
                            </blockquote>
                          </div>
                        </blockquote>
                      </div>
                    </blockquote>
                    <br>
                  </div>
                </blockquote>
              </div>
            </blockquote>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </body>
</html>