Include authentication in initial outbound SIP trunk registrations

My SIP trunk provider doesn’t support 401 challenge for authentication. It requires authentication (user/password) to be included in the initial outbound SIP trunk registration, otherwise it failed with 403. The config from Wiki below doesn’t seem to support the authentication in the initial Registration to SIP trunk provider. Is anything missing?

[my-itsp]
type = wizard
sends_auth = yes
sends_registrations = yes
remote_hosts = sip.my-itsp.net
outbound_auth/username = my_username
outbound_auth/password = my_password
endpoint/context =default
aor/qualify_frequency = 15

Is anything missing?

No, neither chan_sip or chan_pjsip support such a thing. I’m not even aware of a specification for it.

Thanks. Is there a way to create a special Registration including authentication in PJSIP?

No. You can’t create special requests like that, not without modifying the code. You’d also need to know how to “include authentication” and what that means.

Some provider settings allow first INVITEs with username and password. To do it at chan_sip you must add “remoteuser=” and “remotesecret=” with respectively values at trunk settings.
I don’t know how to do the same with pjsip.

Hope this helps.

There are no such equivalent options in PJSIP, beyond the authentication option. According to the code in chan_sip I don’t see how it behaves that way but I’m not going to look further in it.

thank you [fsilvestre]. Is there a reference guide to use chan_sip instead of chan_pjsip? I have trouble to locate one.

I also wasn’t aware that chan_sip did anything like that. As far as I understand it, remotesecret is just a cleaner way of handling the problem that insescure=invite hacks around, or the rather rare case of both way authentication with different credentials.

The only way you could authenticate in SIP without 401 is by using basic authentication, which is very insecure, as the password is sent in the clear. Moreover, RFC 3261 says:

Note, however, that SIP servers MUST NOT accept or request Basic authentication.

So any server using basic authentication cannot be a SIP server.

You are basically asking us how to do something that is not possible, and therefore there is no specification of how to do it over the wire, so it is impossible to say how to configure a UA to do it.

I think the OP needs to find a SIP service provider.

There is no such parameter recognized by the source code!

@fsilvestre: could you share your example of the adding remoteuser= and remotesecret= I finally loaded chan_sip after rebuilt it (make memuselect doesn’t have the option of selecting chan_sip anymore).
Totally agree with security concerns, just try to get my lab IOT working.

As I already pointed out:

david@dhcppc4:/tmp$ grep -i remoteuser chan_sip.c
david@dhcppc4:/tmp$

Also, I cant find anywhere where remotesecret is used other than as substitute for secret, in outbound, digest, authentication.

You should ask them for details of the RFC that they expect you to implement.

It’s been a long time since I used this setting due misconfigured sip provider.

As @david551 said, remoteuser don’t exist. I’ve been use defaultuser indeed. Give it a try.

remotesecret=pass
defaultuser=username

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.