[ previous ] [ next ] [ threads ]
 To :  yate@v...
 From :  Bill Simon <bill@b...>
 Subject :  Re: [yate] Possible problem with qop=auth digest authentication
 Date :  Fri, 23 Dec 2011 14:02:38 -0500 (EST)
I have found the problem, and it is a bug in Yate's SIP messages. I am submitting a ticket on mantis. The problem is Yate's auth response: 

> Authorization: Digest username="username", realm="domain", 
> nonce="413eb806a9e9", uri="...", 
> response="8bb8f371e3e9428d14a01da632f79984", algorithm=MD5, qop="auth", 
> nc="00000001", cnonce="7aa1dc097d3ab938dd72adab4bf96134" 

According to RFC 2617 (Basic and Digest authentication) the qop= and nc= parameters are supposed to be a token and a hex number, respectively, but Yate puts them in quotes making them quoted strings instead. The remote switch I am connecting to is following the RFC strictly. I cobbled together a workaround but will let the programmers fix it properly. 

----- Original Message -----

> From: "Marian Podgoreanu" 
> To: "Bill Simon" 
> Cc: yate@v...
> Sent: Friday, December 23, 2011 10:19:38 AM
> Subject: Re: [yate] Possible problem with qop=auth digest
> authentication

> Hi,

> Check with the provider:
> You may need a different authentication name then the account
> username.
> If so, set it in the 'authname' parameter in accfile.conf:

> [myaccount]
> authname=

> Marian

> On 12/22/2011 5:00 AM, Bill Simon wrote:
> > Yate gurus, I am trying to authenticate to a provider using
> > MetaSwitch.
> > The authorization is not working, and the provider suggests that it
> > is a
> > problem with our switch (Yate) not authenticating correctly. I am
> > on the
> > latest SVN of yate 3.3.3.
> >
> > After the initial invite, I get:
> >
> > SIP/2.0 401 Unauthorized
> > WWW-Authenticate: Digest
> > realm="domain",nonce="413eb806a9e9",stale=false,algorithm=MD5,qop="auth"
> > Call-ID: 1171378329@domain
> > CSeq: 2 INVITE
> >
> >
> > Yate sends ACK for CSeq 2 and then a new INVITE:
> >
> > Call-ID: 1171378329@domain
> > User-Agent: YATE/3.3.3
> > Contact: ...
> > Allow: ACK, INVITE, BYE, CANCEL, REGISTER, REFER, OPTIONS, INFO
> > CSeq: 3 INVITE
> > Authorization: Digest username="username", realm="domain",
> > nonce="413eb806a9e9", uri="...",
> > response="8bb8f371e3e9428d14a01da632f79984", algorithm=MD5,
> > qop="auth",
> > nc="00000001", cnonce="7aa1dc097d3ab938dd72adab4bf96134"
> >
> >
> > Then the provider replies with 401 again:
> >
> > SIP/2.0 401 Unauthorized
> > WWW-Authenticate: Digest
> > realm="domain",nonce="413eb807a9ea",stale=false,algorithm=MD5,qop="auth"
> > Call-ID: 1171378329@domain
> > CSeq: 3 INVITE
> >
> > Yate sends ACK for CSeq 3 and then gives up:
> >
> >  YateSIPConnection::hangup() state=1 trans=0xdeea10
> > error='noauth' code=401 reason='Unauthorized' [0xdcdad0]
> >
> >
> > Connections to this provider without auth (IP auth only) work OK,
> > but
> > the provider wants us to authenticate.
> >
> >
> > I saw an old message on the mailing list from 2011-March that Yate
> > cannot handle qop=auth type authentication, but it looks like this
> > functionality exists in version 3.3.3.
> >
> > Bill
> >



I have found the problem, and it is a bug in Yate's SIP messages. I am submitting a ticket on mantis. The problem is Yate's auth response:

> Authorization: Digest username="username", realm="domain",
> nonce="413eb806a9e9", uri="...",
> response="8bb8f371e3e9428d14a01da632f79984", algorithm=MD5, qop="auth",
> nc="00000001", cnonce="7aa1dc097d3ab938dd72adab4bf96134"

According to RFC 2617 (Basic and Digest authentication) the qop= and nc= parameters are supposed to be a token and a hex number, respectively, but Yate puts them in quotes making them quoted strings instead. The remote switch I am connecting to is following the RFC strictly. I cobbled together a workaround but will let the programmers fix it properly.



From: "Marian Podgoreanu" <marian@v...>
To: "Bill Simon" <bill@b...>
Cc: yate@v...
Sent: Friday, December 23, 2011 10:19:38 AM
Subject: Re: [yate] Possible problem with qop=auth digest authentication

Hi,

Check with the provider:
You may need a different authentication name then the account username.
If so, set it in the 'authname' parameter in accfile.conf:

[myaccount]
authname=

Marian

On 12/22/2011 5:00 AM, Bill Simon wrote:
> Yate gurus, I am trying to authenticate to a provider using MetaSwitch.
> The authorization is not working, and the provider suggests that it is a
> problem with our switch (Yate) not authenticating correctly. I am on the
> latest SVN of yate 3.3.3.
>
> After the initial invite, I get:
>
> SIP/2.0 401 Unauthorized
> WWW-Authenticate: Digest
> realm="domain",nonce="413eb806a9e9",stale=false,algorithm=MD5,qop="auth"
> Call-ID: 1171378329@domain
> CSeq: 2 INVITE
>
>
> Yate sends ACK for CSeq 2 and then a new INVITE:
>
> Call-ID: 1171378329@domain
> User-Agent: YATE/3.3.3
> Contact: ...
> Allow: ACK, INVITE, BYE, CANCEL, REGISTER, REFER, OPTIONS, INFO
> CSeq: 3 INVITE
> Authorization: Digest username="username", realm="domain",
> nonce="413eb806a9e9", uri="...",
> response="8bb8f371e3e9428d14a01da632f79984", algorithm=MD5, qop="auth",
> nc="00000001", cnonce="7aa1dc097d3ab938dd72adab4bf96134"
>
>
> Then the provider replies with 401 again:
>
> SIP/2.0 401 Unauthorized
> WWW-Authenticate: Digest
> realm="domain",nonce="413eb807a9ea",stale=false,algorithm=MD5,qop="auth"
> Call-ID: 1171378329@domain
> CSeq: 3 INVITE
>
> Yate sends ACK for CSeq 3 and then gives up:
>
> <sip/4:ALL> YateSIPConnection::hangup() state=1 trans=0xdeea10
> error='noauth' code=401 reason='Unauthorized' [0xdcdad0]
>
>
> Connections to this provider without auth (IP auth only) work OK, but
> the provider wants us to authenticate.
>
>
> I saw an old message on the mailing list from 2011-March that Yate
> cannot handle qop=auth type authentication, but it looks like this
> functionality exists in version 3.3.3.
>
> Bill
>