| Summary: | ASTERISK-04970: [patch] subscribe authentication fails with multiple peers on same client | ||
| Reporter: | philipp2 (philipp2) | Labels: | |
| Date Opened: | 2005-09-02 08:21:50 | Date Closed: | 2008-01-15 15:50:11.000-0600 | 
| Priority: | Minor | Regression? | No | 
| Status: | Closed/Complete | Components: | Channels/chan_sip/Subscriptions | 
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) sip-debug.txt ( 1) subscribepeer.txt | |
| Description: | Asterisk 1.0.9 (maybe also earlier versions?) contains a bug that effectively disables subscriptions for phones with multiple regististrations in place. When processing a "nonce response" as a result to an 407 authentication request Asterisk with SIP DEBUG reports "Found peer YYY" even though it should look at peer XXX to compare user credentials. Consequently a NOTICE is displayed with "Failed to authenticate user ... for SUBSCRIBE" (YYY and XXX share the same IP and port, only the user name differs). This bug is not present in 1.0.2 (for Asterisk 1.2 beta I cannot make a statement). Subscriptions worked fine with 1.0.2 (bristuffed), and failed after upgrade to 1.0.9 (bristuffed) without any changes to the config files or phones. ****** ADDITIONAL INFORMATION ****** Both co723 and co724 are "lines" = users/peers on this SNOM 360 that have successfully registered (on the same port and with the same IP). In this case 1001 is a mailbox, but the same applies also to "normal" extensions that a subscribe is attempted for. Sip read: SUBSCRIBE sip:1001@myast.mynet.void SIP/2.0 Via: SIP/2.0/UDP 192.168.63.23:5067;branch=z9hG4bK-026k96pd5zkl;rport From: <sip:co723@myast.mynet.void>;tag=afxno3l6f3 To: <sip:1001@myast.mynet.void> Call-ID: 3c26700a57e4-264nwbc856zv@snom360 CSeq: 530 SUBSCRIBE Max-Forwards: 70 Contact: <sip:co723@192.168.63.23:5067;line=e2w48vym> Event: message-summary Accept: application/simple-message-summary Expires: 3600 Content-Length: 0 12 headers, 0 lines Using latest SUBSCRIBE request as basis request Sending to 192.168.63.23 : 5067 (non-NAT) Found peer 'co724' Transmitting (no NAT): SIP/2.0 407 Proxy Authentication Required Via: SIP/2.0/UDP 192.168.63.23:5067;branch=z9hG4bK-026k96pd5zkl From: <sip:co723@myast.mynet.void>;tag=afxno3l6f3 To: <sip:1001@myast.mynet.void>;tag=as515351e8 Call-ID: 3c26700a57e4-264nwbc856zv@snom360 CSeq: 530 SUBSCRIBE User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER Contact: <sip:1001@192.168.63.2> Proxy-Authenticate: Digest realm="myast.mynet.void", nonce="14156710" Content-Length: 0 to 192.168.63.23:5067 Scheduling destruction of call '3c26700a57e4-264nwbc856zv@snom360' in 15000 ms myAst*CLI> Sip read: SUBSCRIBE sip:1001@myast.mynet.void SIP/2.0 Via: SIP/2.0/UDP 192.168.63.23:5067;branch=z9hG4bK-xqvtge178i5o;rport From: <sip:co723@myast.mynet.void>;tag=afxno3l6f3 To: <sip:1001@myast.mynet.void> Call-ID: 3c26700a57e4-264nwbc856zv@snom360 CSeq: 531 SUBSCRIBE Max-Forwards: 70 Contact: <sip:co723@192.168.63.23:5067;line=e2w48vym> Event: message-summary Accept: application/simple-message-summary Proxy-Authorization: Digest username="co723",realm="myast.mynet.void",nonce="14156710",uri="sip:1001@myast.mynet.void",response="5068d2749be71ec807e3ec41949e4e11",algorithm=md5 Expires: 3600 Content-Length: 0 13 headers, 0 lines Using latest SUBSCRIBE request as basis request Sending to 192.168.63.23 : 5067 (non-NAT) Found peer 'co724' Sep 2 12:09:12 NOTICE[13986]: chan_sip.c:7654 handle_request: Failed to authenticate user <sip:co723@myast.mynet.void>;tag=afxno3l6f3 for SUBSCRIBE Destroying call '3c26700a57e4-264nwbc856zv@snom360' | ||
| Comments: | By: Kevin P. Fleming (kpfleming) 2005-09-02 15:19:48 It's not likely that this will be fixed in 1.0.x unless the fix is simple to produce and unlikely to cause other breakage. Most of the development community is now focused on producing the 1.2 release, where this code has been (nearly) completely rewritten... so any fix for this problem would be 1.0.x specific. By: philipp2 (philipp2) 2005-09-02 16:22:02 I guess the question then is: Will there be a 1.0.10? By: Tracy Carlton (carltont) 2005-09-09 00:31:01 I've just confirmed that this is still happening in the current CVS-HEAD as of today 9/8/2005. Additionally, if you disable the additional extension(s) on the phone and allow it register only the "primary ext" and then afterward enable and register the secondary ext(s) subscriptions work until the phone is rebooted or the Asterisk configs are reread/reloaded. By: Olle Johansson (oej) 2005-09-09 02:42:23 I need to see a full SIP debug from the first registration to the failed subscriptions, as well as excerpts from your sip.conf. the SIP debug needs to have debug enabled in logger.conf, debug set to 4 and verbose set to 4 and sipdebug turned on. Thank you. By: Olle Johansson (oej) 2005-09-09 02:42:45 ...and from CVS head/beta 1.2 By: philipp2 (philipp2) 2005-09-09 07:51:47 The request of OEJ is directed at 'carltont' then, since I can only test in a production environment that requires 1.0.x due to bristuff. Anyway, with X-Lite and/or EyeBeam this should be straigt forward to reproduce, simply create two or more accounts that register to the same Asterisk and request some kind of subscription. By: Olle Johansson (oej) 2005-09-09 08:00:11 I have several phones inside of a NAT and it works perfectly, so I can't reproduce it... So please upload a full SIP debug. Thank you. By: philipp2 (philipp2) 2005-09-09 10:26:06 Just to make sure we don't have a misunderstanding here: The error occurs with multiple users on the SAME phone/client, not with several DIFFERENT phones. By: Olle Johansson (oej) 2005-09-09 10:50:35 Ahh. I missed that. Thank you for the clarification. Any hints on how I configure that on my Snom 360 so I can test? By: philipp2 (philipp2) 2005-09-09 11:06:02 The Snom360 has 7 lines (at least with my firmware): Use at least two of those to register two different users, e.g. user1 on line 1 and user2 on line 2, with the same Asterisk box, e.g. ast-box1. Make sure that both users have a mailbox= setting in sip.conf; the SNOM will attempt to subscribe to the mailbox for each user (using the corresponding (!) user credentials). If you like you can also add one or more function keys set to "DESTINATION" so that we also get a subscription here - the SNOM will then use the line with the lowest number for authentication for all (!) DESTINATIONS. E.g. if line 1 is empty, and line 2 and 3 have a user setting, then DESTINATION subscriptions will be performed with line 2 user info. By: Olle Johansson (oej) 2005-09-22 08:52:16 For some reason we match on peer ip. I still need your configuration for the two peers as well as a full SIP debug from CVS head. Thank you for your cooperation. By: Kevin P. Fleming (kpfleming) 2005-09-29 00:19:58 Can we get the requested trace and configuration information? Thanks. By: philipp2 (philipp2) 2005-09-29 03:02:05 As explained before I cannot test with HEAD, so I hope for carltont (or someone else with HEAD and multi-line phones) to provide those traces. By the way, this bug is also to be found in 1.0.7. By: philipp2 (philipp2) 2005-10-02 12:12:08 In short: The issue indeed is also present in 1.2 beta1. Finally I managed to get hold of a snom320 and get beta1 working (zaptel wouldn't want to compile at all, but with Tzafrir's zaptel package for debian it worked out). That's why I can't test with CVS, even though I'd like to. :-( The setup: snom320 can nicely subscribe to 5678 as line 1 on the snom. However as soon as I add snom320b on line 2 the subscription for snom320 breaks (the latter case is what you see in the debug). * sip.conf * [xlite_athlete] type=friend username=xlite_athlete callerid="Jane Smith" <5678> host=dynamic nat=route disallow=all allow=alaw allow=gsm [snom320] type=friend username=snom320 secret=******** host=dynamic qualify=yes nat=no canreinvite=no mailbox=1234 disallow=all allow=alaw allow=g726 allow=gsm [snom320b] type=friend username=snom320b secret=******** host=dynamic nat=no canreinvite=no mailbox=1234 disallow=all allow=alaw allow=g726 allow=gsm * extension.conf * exten => 144,hint,SIP/snom320 exten => 144,1,Dial(SIP/snom320,,tT) exten => 144,2,HangUp exten => 5678,hint,SIP/xlite_athlete exten => 5678,1,Dial(SIP/xlite_athlete,,tT) exten => 5678,2,HangUp *CLI> show hints -= Registered Asterisk Dial Plan Hints =- 8400 : SIP/non-existent State 3 5678 : SIP/xlite_athlete State 0 144 : SIP/snom320 State 0 500 : Local/500 State 0 ---------------- - 4 hints registred ** SIP DEBUG ** -removed to improve readability- By: Olle Johansson (oej) 2005-10-02 12:44:04 Please never add debug output within the bug tracker itself, it needs to be attached as a file. Otherwise it will be very hard working with the tracker. All SIP debug traces need to be captured with SIP debug on, debug=4 and verbose=4. Thank you. By: Olle Johansson (oej) 2005-10-02 12:46:38 Can you change the port address for the second account on the SNOM phone? We match on IP and port, and both are the same. So "snom320" is matched to "snom320b" on the first try. By: Olle Johansson (oej) 2005-10-02 13:25:07 Please test this patch. * Checks both users and peers for SUBSCRIBE * Checks peers on peer name * Only looks up peer on mailbox subscriptions (better for realtime) Please confirm urgently if this solves your problem. Thank you. Disclaimer on file. By: Olle Johansson (oej) 2005-10-02 13:26:08 btw, with this patch we do not match on peer IP for subscriptions any more. I can't figure out why we should. Anyone that has a reason for keeping IP matching on peers for SUBSCRIBE requests? By: philipp2 (philipp2) 2005-10-02 13:37:00 Ok, sorry for the first post, I hadn't realized that the debug output went to /var/log/astersisk/debug instead the console - now upload sip-debug.txt. About the SIP port: I don't see a way in the snom to assign ports to the different lines. By: Olle Johansson (oej) 2005-10-02 14:02:39 This patch does not rely on different ports any way. Please test it. By: Olle Johansson (oej) 2005-10-02 14:06:46 The patch is for CVS head. By: philipp2 (philipp2) 2005-10-02 14:40:48 With beta1 I get: Hunk ASTERISK-2 FAILED at 9772. Apart from this it appears to be working nicely and certainly solves the issue. Applies cleanly to HEAD and works fine (I am surprised I can run HEAD with zaptel from beta1) By: Olle Johansson (oej) 2005-10-02 14:47:39 Thank you for confirming the patch so quickly!!!! Ready for kpflemings detailed audit ;-) By: philipp2 (philipp2) 2005-10-03 05:33:13 Let me return the compliment: Thanks a lot for the fix, this really did bug me! :-) By: Kevin P. Fleming (kpfleming) 2005-10-04 19:58:27 Committed to CVS HEAD, thanks! By: Digium Subversion (svnbot) 2008-01-15 15:50:11.000-0600 Repository: asterisk Revision: 6723 U trunk/channels/chan_sip.c ------------------------------------------------------------------------ r6723 | kpfleming | 2008-01-15 15:50:10 -0600 (Tue, 15 Jan 2008) | 2 lines handle peer matching for subscriptions by name instead of IP address (issue ASTERISK-4970) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=6723 | ||