Asterisk Authorization Header

kladizkov · December 15, 2013, 3:55am

Hi Support,

I’m not able to register to callcentric. On checking the headers, I see uri=“sip:sip:callcentric.com”

The “sip:sip” should not be there. But not sure where it is coming from.

From: <sip:1777236XXXX@callcentric.com>;tag=as57b9b35c
To: <sip:1777236XXXX@callcentric.com>
Call-ID: 1e97c4e62c9bbfe175f98ceb029d04be@95.107.107.107
CSeq: 104 REGISTER
User-Agent: Asterisk PBX 1.8.10.1~dfsg-1ubuntu1
Authorization: Digest username="1777236XXXX", realm="callcentric.com", algorithm=MD5, uri="sip:sip:callcentric.com", nonce="0f8d77ed42ae4882369cf2403ff7f1a0", response="5354e6008da66424ba242d843aedfd2f"
Expires: 120
Contact: <sip:s@95.107.107.107:5060>
Content-Length: 0

Is the registration failing due to it? How can it be corrected? Please help.

david55 · December 15, 2013, 10:09am

You haven’t provided the full register exchange and you haven’t provide the contents of your sip.conf.

ambiorixg12 · December 15, 2013, 6:59pm

This is my callcentric trunk config and work like charm

trunk
type=peer
insecure=port,invite
disallow=all
allow=ulaw
allow=g729
allow=gsm
dtmfmode=rfc2833
qualify=yes
context=default

callcentric
username=177727
remotesecret=asterisk
fromuser=177727
fromdomain=callcentric.com
host=callcentric.com

david55 · December 15, 2013, 7:43pm

You don’t need insecure=invite if you have remotesecret. You may not even need insecure=port.

ambiorixg12 · December 16, 2013, 4:13am

David 55 When is that you really need use the port,invite option. i see that many people don’t really understand the real usage of this option.

david55 · December 16, 2013, 10:53am

You need insecure=invite when the the peer will either never try to authenticate to you on an invite, or will try to authenticate to you using a secret which differs from the value of your secret setting. This typically happens with ITSPs who generally never try to authenticate. remotesecret makes this usage largely redundant, because you will never request authentication if you don’t have secret set and remotesecret covers the case where you need to supply authentication.

insecure=port means that you will accept invites from a different port number than the the one you got from the registration, or the one that you configured to statically send to. That might happen because of NAT, or because of the use of proxies. However, as with anything that reduces security, you should demonstrate a real need before using it.

Most of the cookbook uses of insecure seem to arise from ITSPs. Before remotesecret, they typically needed insecure=invite, but probably thought there was less likelihood of customer dissatisfaction if they made the customer as insecure as possible, so used very. I think the name, very, was coined to warn against excessive use, but failed in this. I think that requiring port,invite was then done to make people think about what they really needed, but, instead, people just translated very into port,invite, without thinking.

Topic		Replies	Views
Help with Callcentric trunk Asterisk SIP	10	122	July 4, 2024
Asterisk/Register Asterisk SIP	3	250	August 9, 2022
Failed to authenticate on INVITE Asterisk Support	4	443	November 2, 2011
Asterisk, inbound routing and DNS SRV Asterisk Support	1	894	June 22, 2007
Troubleshooting Outgoing Callcentric SIP calls [RESOLVED] Asterisk Support	9	1777	September 8, 2011

Asterisk Authorization Header

Related topics