Re: [repro-users] Authenticated identity && repro
There is code in repro to ensure that the From header user and domain match
the authentication user and realm. Your Invite message appears to be
failing this check. Check out DigestAuthenticator.cxx line 249, and
DigestAuthenticator::authorizedForThisIdentity.
Scott
-----Original Message-----
From: Gergely Kovacs [mailto:gergo@xxxxxxxxx]
Sent: October 8, 2007 12:14 PM
To: Scott Godin
Cc: repro-users@xxxxxxxxxxxxxxx
Subject: Re: [repro-users] Authenticated identity && repro
Hello,
Thank you Scott for the quick response!
Yes, if I remove client's IP from ACLS list then repro will add identity
headers!
But I'd like to use repro as a sip proxy that authenticates and forwards
to another domain.
Where should I specify the domain messages should forwarded to?
Now I'll get "403 forbidden" after authentication, if repro's user calls
an outbound callee.
Here's debug log snippet:
monkeys/DigestAuthenticator.cxx:130 | Authentication ok for root
monkeys/DigestAuthenticator.cxx:249 | User: root at realm: atest.com
trying to forge request from: sip:root@xxxxxxxxx
Helper.cxx:372 | Helper::makeResponse(SipReq: INVITE root@xxxxxxxxx
tid=-26769-1-3 cseq=INVITE contact=root@xxxxxxxxxxxxx:5002 / 1
from(wire) code=403 reason=
RequestContext.cxx:638 | tid of orig req: -26769-1-3
RequestContext.cxx:673 | Ensuring orig tid matches tid of response:
-26769-1-3 == -26769-1-3
RequestContext.cxx:680 | Sending final response.
SipStack.cxx:289 | SEND: SipResp: 403 tid=-26769-1-3 cseq=INVITE / 1
from(tu)
Gergely
Scott Godin wrote:
> Repro will only add an identity header if it performed digest
authentication
> on the request (challenged with a 407). Adding an ACL rule for your
> endpoint will cause repro to skip authentication, so it will not add the
> identity header. If you can get authentication to work properly, you
should
> see an identity header in the outbound requests.
>
> Note: Root certs are used for authenticating certificates returned to
repro
> during the outbound TLS authentication process. Domain certs are used to
> identify the repro server to clients that form TLS connections to repro.
> The domain certs are also used to sign the identity headers. You must
> provide both public and private keys for the domain certs.
>
> -----Original Message-----
> From: repro-users-bounces@xxxxxxxxxxxxxxx
> [mailto:repro-users-bounces@xxxxxxxxxxxxxxx] On Behalf Of Gergely Kovacs
> Sent: October 8, 2007 10:37 AM
> To: repro-users@xxxxxxxxxxxxxxx
> Subject: [repro-users] Authenticated identity && repro
>
> Hi,
>
> I'd like to make rePro add Identity headers to messages. I compiled
> recirpocate with use SSL. Main/resip/stack/test/testIdentity util
> computes the right Identiy.
>
> My scenario is simple:
> root@xxxxxxxxx calls root@xxxxxxxxx
>
> root@xxxxxxxxx -> atest.com (0.0.0.0:5060) -> btest.com (0.0.0.0:5062)
> -> root@xxxxxxxxx
>
> IP address of btest.com comes from DNS, and the port is set by a rePro
> route. There is a rePro ACLS rule that covers caller's IP address to
> avoid authentication. (otherwise I get "403 forbidden" for outgoing
> messages from rePro even if the authentication was successful). I
> created certification and private key for the domain and copied to the
> corresponding directory; rePro finds it and loads them.
>
> I execute repro by this command:
> repro -v INFO -l syslog -d btest.com --enable-cert-server -t atest.com
> (I've tried all combination of the switches above)
>
> Basically it works but the authentication headers are missing.
>
> What is the difference between domain_cert and root_cert? (my root_cert
> is a simlink to domain_cert)
> What should I do to have repro compute the indenity header?
>
> Thanks,
> Gergely
>
>
>
> _______________________________________________
> repro-users mailing list
> repro-users@xxxxxxxxxxxxxxx
> https://list.resiprocate.org/mailman/listinfo/repro-users
>
>
>