ASTERISK-11320: "auth" doesn't work inside a [peer]

[Home]

Summary: ASTERISK-11320: "auth" doesn't work inside a [peer]

Reporter: Iñaki Baz Castillo (ibc) Labels:

Date Opened: 2008-01-29 06:34:05.000-0600 Date Closed: 2008-07-01 09:24:20

Priority: Minor Regression? No

Status: Closed/Complete Components: Channels/chan_sip/Interoperability

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) bug11861.txt
( 1) debug-Asterisk-auth-peer-doesnt-work.txt

Description: I define a peer who needs authentication to accept calls form my Asterisk:

---sip.conf---
[peer-cdr]
type=peer
host=cdr.mydomain.org
fromuser=991847150
fromdomain=mydomain.org
auth=user51:1234@mydomain.org
insecure=invite
qualify=no
nat=no
canreinvite=no
-------------

But it fails when Asterisk sends an INVITE to that peer. In fact, I think the "auth" parameter inside [peer] is not parsed at all. Note in the attached debug that after "407 Authentication required" there is not a new INVITE from Asterisk.

But if I move the line:
auth=user51:1234@cdr.mydomain.org
to [authentication] section then it works! ¿?¿

---sip.conf---
[authentication]
auth=user51:1234@cdr.mydomain.org
--------------

Note the comment in [authentication] section:
; You may also add auth= statements to [peer] definitions
; Peer auth= override all other authentication settings if we match on realm

So something is buggy here IMHO.

Of course, another solution would be using "username" and "secret", but why should I write the password in clear?

---sip.conf---
[peer-cdr]
type=peer
host=cdr.mydomain.org
fromuser=991847150
fromdomain=mydomain.org
username=user51
secret=1234
insecure=invite
qualify=no
nat=no
canreinvite=no
-------------

And remember that using "auth" in [authentication] is a risk (bug ASTERISK-11245):
http://bugs.digium.com/view.php?id=11776

Comments: By: Iñaki Baz Castillo (ibc) 2008-01-30 02:22:43.000-0600

Thanks for the summary fix ;)
By: Olle Johansson (oej) 2008-01-30 07:16:18.000-0600

Can you please add a SIP debug showing this issue (add this as an attachment, don't forget to include debug logs).

Thanks.
By: Iñaki Baz Castillo (ibc) 2008-01-30 07:40:24.000-0600

Sorry, I did the debug but forgot to upload it :-p
Now it's attached.
By: Olle Johansson (oej) 2008-01-30 10:08:13.000-0600

For some reason, that part of the original code was missing. The peerauth pointer was still around though.

Try this patch and please confirm if it works for you.

/Olle
By: Iñaki Baz Castillo (ibc) 2008-01-30 11:43:18.000-0600

I have problems to set the patch (the line numbers don't match with that revision), so finally I've patched the SVN trunk version (revision 101278) manually and recompiled (chan_sip.c is compiled again).

But it doesn't work at all, the same occurs: after 407 there is not a new INVITE with credentials.
By: Olle Johansson (oej) 2008-01-30 15:29:56.000-0600

The patch was made for 1.4 (the problem exists there too). I will have to test it a bit more later this week obviously.
By: jmls (jmls) 2008-02-17 13:06:40.000-0600

oej, were you able to test ?
By: Olle Johansson (oej) 2008-06-10 09:26:11

Will test this week actually.
By: Olle Johansson (oej) 2008-07-01 07:19:54

Please test with latest svn version. Thanks.
By: Iñaki Baz Castillo (ibc) 2008-07-01 09:04:22

It works :)
Thanks.
By: Olle Johansson (oej) 2008-07-01 09:24:12

Thanks for checking quickly!