Re: [repro-users] Authenticated identity && repro
- From: Gergely Kovacs <gergo@xxxxxxxxx>
- Date: Mon, 08 Oct 2007 18:14:23 +0200
Hello,
Thank you Scott for the quick response!
Yes, if I remove client's IP from ACLS list then repro will add identity
headers!
But I'd like to use repro as a sip proxy that authenticates and forwards
to another domain.
Where should I specify the domain messages should forwarded to?
Now I'll get "403 forbidden" after authentication, if repro's user calls
an outbound callee.
Here's debug log snippet:
monkeys/DigestAuthenticator.cxx:130 | Authentication ok for root
monkeys/DigestAuthenticator.cxx:249 | User: root at realm: atest.com
trying to forge request from: sip:root@xxxxxxxxx
Helper.cxx:372 | Helper::makeResponse(SipReq: INVITE root@xxxxxxxxx
tid=-26769-1-3 cseq=INVITE contact=root@xxxxxxxxxxxxx:5002 / 1
from(wire) code=403 reason=
RequestContext.cxx:638 | tid of orig req: -26769-1-3
RequestContext.cxx:673 | Ensuring orig tid matches tid of response:
-26769-1-3 == -26769-1-3
RequestContext.cxx:680 | Sending final response.
SipStack.cxx:289 | SEND: SipResp: 403 tid=-26769-1-3 cseq=INVITE / 1
from(tu)
Gergely
Scott Godin wrote:
Repro will only add an identity header if it performed digest authentication
on the request (challenged with a 407). Adding an ACL rule for your
endpoint will cause repro to skip authentication, so it will not add the
identity header. If you can get authentication to work properly, you should
see an identity header in the outbound requests.
Note: Root certs are used for authenticating certificates returned to repro
during the outbound TLS authentication process. Domain certs are used to
identify the repro server to clients that form TLS connections to repro.
The domain certs are also used to sign the identity headers. You must
provide both public and private keys for the domain certs.
-----Original Message-----
From: repro-users-bounces@xxxxxxxxxxxxxxx
[mailto:repro-users-bounces@xxxxxxxxxxxxxxx] On Behalf Of Gergely Kovacs
Sent: October 8, 2007 10:37 AM
To: repro-users@xxxxxxxxxxxxxxx
Subject: [repro-users] Authenticated identity && repro
Hi,
I'd like to make rePro add Identity headers to messages. I compiled
recirpocate with use SSL. Main/resip/stack/test/testIdentity util
computes the right Identiy.
My scenario is simple:
root@xxxxxxxxx calls root@xxxxxxxxx
root@xxxxxxxxx -> atest.com (0.0.0.0:5060) -> btest.com (0.0.0.0:5062)
-> root@xxxxxxxxx
IP address of btest.com comes from DNS, and the port is set by a rePro
route. There is a rePro ACLS rule that covers caller's IP address to
avoid authentication. (otherwise I get "403 forbidden" for outgoing
messages from rePro even if the authentication was successful). I
created certification and private key for the domain and copied to the
corresponding directory; rePro finds it and loads them.
I execute repro by this command:
repro -v INFO -l syslog -d btest.com --enable-cert-server -t atest.com
(I've tried all combination of the switches above)
Basically it works but the authentication headers are missing.
What is the difference between domain_cert and root_cert? (my root_cert
is a simlink to domain_cert)
What should I do to have repro compute the indenity header?
Thanks,
Gergely
_______________________________________________
repro-users mailing list
repro-users@xxxxxxxxxxxxxxx
https://list.resiprocate.org/mailman/listinfo/repro-users