Summary:	ASTERISK-02020: Problems with insecure= setting and authentication
Reporter:	John Todd (jtodd)	Labels:
Date Opened:	2004-07-14 18:31:19	Date Closed:	2011-06-07 14:10:05
Priority:	Minor	Regression?	No
Status:	Closed/Complete	Components:	Core/General
Versions:		Frequency of Occurrence
Related Issues:
Environment:		Attachments:
Description:	Yet another SIP authentication problem. I have SER running, and passing calls to a PRI-enabled Asterisk server from a large range of Media Terminal Adapters, and a few other Asterisk systems set up as "clients".  I have this PRI-enabled Asterisk server functioning as a very simple media gateway to hand off my toll-free calls to a PRI - this is a one-way configuration (calls go to the PRI-enabled Asterisk server but don't originate _from_ that machine.)  I have apparently hit a very strangely shaped brick wall with authentication requests and the actual characters inside the request string - numeric characters seem to cause problems, while alpha characters do not.  I'm running CVS-HEAD-07/13/04-21:34:00. Here's the definition of my SER proxy in sip.conf: [ser-to-tollfree] type=peer insecure=yes host=128.151.224.35 context=from-proxy1 secret=cracksmokingpassword (note: I have tried with and without password) (note: I have tried with and without insecure=very) In the first two examples I show below, things work great.  The first query is (AsteriskPBX -> SER -> AsteriskPRI) and seems to work fine; my calls go through, no problem.  The second query is (MTA -> SER -> AsteriskPRI) and also works fine - no problems.  Note the address of record - it's "JohnTodd" in the second working example.  The third example is from the exact same MTA, with the only change being that I have altered the address of record to be "13012221111" instead of "JohnTodd", which is the phone number of the device.  For some inexplicable reason, Asterisk wants to authenticate the call if I have a number inside the quotes, despite my "insecure=very" statement on the peer definition.  There are apparently _no_ other reasons for this authentication request.  My call fails, since I don't have authentication set up in this environment.  I have now tested this back and forth half a dozen times to make sure I'm not going crazy, and it does seem to be the contents inside the quotes that is causing the "407 Proxy Authentication Required" messages to be produced. {this is a packet capture of the typical flow of examples #1 and #2, which work correctly} [root@app1 asterisk]# tethereal port 5060 Capturing on eth0  0.000000 128.151.224.35 -> 128.151.224.11 SIP/SDP Request: INVITE sip:18005551212@128.151.224.11;user=phone, with session description  0.000439 128.151.224.11 -> 128.151.224.35 SIP Status: 100 Trying  0.001085 128.151.224.11 -> 128.151.224.35 SIP Status: 180 Ringing  1.980925 128.151.224.11 -> 128.151.224.35 SIP/SDP Status: 200 OK, with session description  2.071965 128.151.224.35 -> 128.151.224.11 SIP Request: ACK sip:18005551212@128.151.224.11 [call completes normally through Asterisk, to PRI and to PSTN]  9.042939 128.151.224.35 -> 128.151.224.11 SIP Request: BYE sip:18005551212@128.151.224.11  9.043038 128.151.224.11 -> 128.151.224.35 SIP Status: 200 OK [root@app1 asterisk]# Example #1: works (AsteriskPBX -> SER -> AsteriskPRI)    Message Header        Via: SIP/2.0/UDP 128.151.224.35:5061        To: 18005551212<sip:18005551212@128.151.224.35>        From: "19544342000" <sip:19544342000@128.151.224.35:5061>;tag=fa103954da5f640e9acb74f156cc0d02            SIP from address: "19544342000" <sip:19544342000@128.151.224.35:5061>            SIP tag: fa103954da5f640e9acb74f156cc0d02        Date: Wed, 14 Jul 2004 03:10:35 GMT        Call-ID: 696099192a69d2131ba9558512682f09@38.33.33.19        cisco-GUID: 2771289936-1289311857-2561443184-602587443        CSeq: 1 INVITE        Max-Forwards: 10        Contact: <sip:19544342000@128.151.224.35:5061>        Allow: INVITE,ACK,CANCEL,OPTIONS,BYE,REFER        User-Agent: SER-0.8.12        Content-Type: application/sdp        Content-Length: 237 Example #2: works (MTA -> SER -> AsteriskPRI):    Message Header        Via: SIP/2.0/UDP 128.151.224.35:5061        To: 18005551212<sip:18005551212@128.151.224.35>        From: "JohnTodd" <sip:JohnTodd@128.151.224.35:5061>;tag=711177a4e5109d504bfb492b0e7d9368            SIP from address: "JohnTodd" <sip:JohnTodd@128.151.224.35:5061>            SIP tag: 711177a4e5109d504bfb492b0e7d9368        Call-ID: 2090d5b597dad5008f1ec713f24bf8ae@10.10.29.252        cisco-GUID: 903578249-3900514380-3966096528-3148672395        CSeq: 1 INVITE        Max-Forwards: 69        Contact: <sip:JohnTodd@128.151.224.35:5061>        Accept: application/sdp        Allow: INVITE,ACK,OPTIONS,CANCEL,BYE,REFER        Supported: timer,replaces        User-Agent: SER-0.8.12        Content-Type: application/sdp        Content-Length: 335 Now, if I modify my contact information to be a phone number (as it "should" be, in my model) then this is what I get: [root@app1 asterisk]# tethereal port 5060 Capturing on eth0  0.000000 128.151.224.35 -> 128.151.224.11 SIP/SDP Request: INVITE sip:18005551212@128.151.224.11;user=phone, with session description  0.000547 128.151.224.11 -> 128.151.224.35 SIP Status: 407 Proxy Authentication Required  0.004623 128.151.224.35 -> 128.151.224.11 SIP Request: ACK sip:18005551212@128.151.224.11;user=phone  0.005122 128.151.224.35 -> 128.151.224.11 SIP/SDP Request: INVITE sip:18005551212@128.151.224.11;user=phone, with session description  0.005481 128.151.224.11 -> 128.151.224.35 SIP Status: 403 Forbidden  0.014618 128.151.224.35 -> 128.151.224.11 SIP Request: ACK sip:18005551212@128.151.224.11;user=phone [root@app1 asterisk]# and I get this on the console: Jul 13 23:21:20 NOTICE[1133742896]: chan_sip.c:6902 handle_request: Failed to authenticate user "13012221111" <sip:13012221111@128.151.224.35:5061>;tag=89a3f4007f5078775e903f736a1410f9 Example #2: broken (MTA -> SER -> AsteriskPRI):    Message Header        Via: SIP/2.0/UDP 128.151.224.35:5061        To: 18005551212<sip:18005551212@128.151.224.35>        From: "13012221111" <sip:13012221111@128.151.224.35:5061>;tag=46710ecadb4d1dd027f2cc4cf09546b4            SIP from address: "13012221111" <sip:13012221111@128.151.224.35:5061>            SIP tag: 46710ecadb4d1dd027f2cc4cf09546b4        Call-ID: 7aad8af6e3a695b73a32ca8b2945a1d6@10.10.29.252        cisco-GUID: 2766138914-2181086183-3044107678-890207647        CSeq: 1 INVITE        Max-Forwards: 69        Contact: <sip:13012221111@128.151.224.35:5061>        Accept: application/sdp        Allow: INVITE,ACK,OPTIONS,CANCEL,BYE,REFER        Supported: timer,replaces        User-Agent: SER-0.8.12        Content-Type: application/sdp        Content-Length: 340
Comments:	By: Mark Spencer (markster) 2004-07-14 21:43:58 Asterisk first tries to authenticate against a user entry based on the entry in the "From" field.  If the Caller*ID matches an entry, it will attempt to authenticate as a user. By: Mark Spencer (markster) 2004-07-15 10:54:22 In any case, please make sure it's not matching a user entry.  If it is, then it's time to close out this bug. By: John Todd (jtodd) 2004-07-16 10:17:33 No, there is no user entry for this caller ID, or anything even closely resembling it. By: Olle Johansson (oej) 2004-07-16 11:10:42 Waiting for feedback from jtodd after IRC conversation :-) By: Olle Johansson (oej) 2004-07-19 12:53:50 Still waiting... By: John Todd (jtodd) 2004-07-23 13:41:21 You might as well close this.  I don't have time to do anything other than not keep up with my email and sit in useless conference calls, so this won't get my undivided concentration for a long time.