Summary:ASTERISK-01728: SIP authentication failure is back
Reporter:philipp2 (philipp2)Labels:
Date Opened:2004-05-30 18:07:48Date Closed:2011-06-07 14:05:22
Versions:Frequency of
Description:The problem was fixed for a day or so, but not it is back in CVS.
Comments:By: philipp2 (philipp2) 2004-05-30 18:08:09

See 1748

By: philipp2 (philipp2) 2004-05-30 18:09:25


By: Mark Spencer (markster) 2004-05-30 18:24:38

I applied the patch in 1748 already.  How about actually substantiating your bug report with slightly more information than "it's broken" and "see bug 1748".

By: Mark Spencer (markster) 2004-05-30 19:29:39

In order to keep things easier in the future, I've published guidelines for bug reports at http://www.digium.com/bugguidelines.html and  you don't even have to remember the URL because there is now a link to it when you go to submit a bug report.

By: philipp2 (philipp2) 2004-05-31 06:34:06

This *really* is the same issue as in bug 1748 and 1738. Since those are closed, however, I need to open a new report. When trying to call Asterisk via FWD the call is not accepted:

NOTICE[10251]: chan_sip.c:6397 handle_request: Failed to authenticate user "xxx" <sip:80176@>;tag=as54212c1c

Using X-Lite it reports more or less the same: 407 - Proxy Authentication Required.

sip.conf of the called server:


SIP DEBUG shows that this user [fwd.pulver.com] is correctly found.
Did maybe the faulty chan_sip code by accident creep back into CVS?

bearbeitet am: 05-31-04 05:44

By: Mark Spencer (markster) 2004-05-31 10:46:45

As documented in the others, you need to use "insecure=very" if you want to not authenticate just because the IP matches.

By: philipp2 (philipp2) 2004-05-31 14:58:06

Ok, got it - but I swear two days ago it worked briefly without insecure=very. Anyway, this has the potential to "break" a lot if existing installations, so I'll go through the Wiki examples and see where things need to be changed.

Now consider this:



No matter in what order I specify these two in sip.conf it is always [fwd-out-user1] that "wins" upon an incoming FWD call. Instead I think that Asterisk should first check for user definitions that match the host name and have no username/pw, and only then look for those with username/pw and insecure=very.

Also: I am still slightly confused about the usage of type=peer. I need peer to be able to dial out, but peer also works for incoming calls - isn't that part supposed to be taken over by type=user?

By: Brian West (bkw918) 2004-05-31 15:15:24

type=friend or you create an entry with the same name example




By: Mark Spencer (markster) 2004-05-31 15:18:04

Had SIP been implemented with some sort of mild attention to authentication, then we would have a very strong concept of user/peer just like IAX does.  However, there is no solid concept of authentication in SIP (as evidenced by the inability of FWD to authenticate to you), requiring us to be able to authenticate based on IP, or peer based authentication.  

Asterisk will first try to match the From: line to a user, and then failing that will look for an appropriate peer.

I'll go ahead and close this out since it's not a bug.

By: Mark Spencer (markster) 2004-05-31 15:18:40

And just for the record, if you want to change the SIP authentication behavior, i would discuss it on asterisk-dev and get some concensus and when you have a patch submit it as a new feature.