[Home]

Summary:ASTERISK-11320: "auth" doesn't work inside a [peer]
Reporter:Iñaki Baz Castillo (ibc)Labels:
Date Opened:2008-01-29 06:34:05.000-0600Date Closed:2008-07-01 09:24:20
Priority:MinorRegression?No
Status:Closed/CompleteComponents:Channels/chan_sip/Interoperability
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) bug11861.txt
( 1) debug-Asterisk-auth-peer-doesnt-work.txt
Description:I define a peer who needs authentication to accept calls form my Asterisk:

---sip.conf---
[peer-cdr]
type=peer
host=cdr.mydomain.org
fromuser=991847150
fromdomain=mydomain.org
auth=user51:1234@mydomain.org
insecure=invite
qualify=no
nat=no
canreinvite=no
-------------

But it fails when Asterisk sends an INVITE to that peer. In fact, I think the "auth" parameter inside [peer] is not parsed at all. Note in the attached debug that after "407 Authentication required" there is not a new INVITE from Asterisk.


But if I move the line:
 auth=user51:1234@cdr.mydomain.org
to [authentication] section then it works!  ¿?¿

---sip.conf---
[authentication]
auth=user51:1234@cdr.mydomain.org
--------------

Note the comment in [authentication] section:
 ; You may also add auth= statements to [peer] definitions
 ; Peer auth= override all other authentication settings if we match on realm

So something is buggy here IMHO.


Of course, another solution would be using "username" and "secret", but why should I write the password in clear?

---sip.conf---
[peer-cdr]
type=peer
host=cdr.mydomain.org
fromuser=991847150
fromdomain=mydomain.org
username=user51
secret=1234
insecure=invite
qualify=no
nat=no
canreinvite=no
-------------


And remember that using "auth" in [authentication] is a risk (bug ASTERISK-11245):
 http://bugs.digium.com/view.php?id=11776

Comments:By: Iñaki Baz Castillo (ibc) 2008-01-30 02:22:43.000-0600

Thanks for the summary fix ;)

By: Olle Johansson (oej) 2008-01-30 07:16:18.000-0600

Can you please add a SIP debug showing this issue (add this as an attachment, don't forget to include debug logs).

Thanks.

By: Iñaki Baz Castillo (ibc) 2008-01-30 07:40:24.000-0600

Sorry, I did the debug but forgot to upload it :-p
Now it's attached.

By: Olle Johansson (oej) 2008-01-30 10:08:13.000-0600

For some reason, that part of the original code was missing. The peerauth pointer was still around though.

Try this patch and please confirm if it works for you.

/Olle

By: Iñaki Baz Castillo (ibc) 2008-01-30 11:43:18.000-0600

I have problems to set the patch (the line numbers don't match with that revision), so finally I've patched the SVN trunk version (revision 101278) manually and recompiled (chan_sip.c is compiled again).

But it doesn't work at all, the same occurs: after 407 there is not a new INVITE with credentials.

By: Olle Johansson (oej) 2008-01-30 15:29:56.000-0600

The patch was made for 1.4 (the problem exists there too). I will have to test it a bit more later this week obviously.

By: jmls (jmls) 2008-02-17 13:06:40.000-0600

oej, were you able to test ?

By: Olle Johansson (oej) 2008-06-10 09:26:11

Will test this week actually.

By: Olle Johansson (oej) 2008-07-01 07:19:54

Please test with latest svn version. Thanks.

By: Iñaki Baz Castillo (ibc) 2008-07-01 09:04:22

It works :)
Thanks.

By: Olle Johansson (oej) 2008-07-01 09:24:12

Thanks for checking quickly!